There is a new, unusually effective Gmail phishing attack that is used to steal Gmail login credentials. I expect this attack will be used before long for other attacks as well, such as bank sites.
I have long counseled clients to be aware of the URL in links in emails. Did you know that a link can look like one URL, but if you click on it, the link takes you to an entirely different URL? Generally, if you hover the pointer over a link in an email, it will show you what the *real* URL is. So, if you think you’re going to http://mail.google.com but instead the link shows http://wiquxww7.com you can be sure that the link is going to get you in trouble.
The challenge with this new exploit is that it makes the URL “look” legit, to the extent that even technically savvy users have fallen prey to the technique. The bottom line on this is that in this case the URL will look something like this in the location window:
data:text/html,https://accounts.google.com/ServiceLogin?service=mail
But the URL actually extends past the location window. If you scroll to the right… like way to the right… you will eventually see something that the beginning of something that looks like this:
<script src=data:text/ht…
And that’s where the trouble begins. That’s actually programming code that will produce a web page that looks just like the Google login page. But guess what? If you try to login there, it doesn’t log you into Gmail, it steals your password and passes it on to the cybercriminals!
The first clue you have though, is the “data:text/html” at the beginning, where it should be “http://” or “https://”
Another clue is when something seems fishy about the email – it is coming from someone you don’t know, or it’s about a topic you didn’t expect. The someone you don’t know doesn’t apply in this case – because the email may be coming from an address you recognize – that has itself already been hacked.
Recommendations:
- Check the validity of emails you receive. If you weren’t expecting it, it might be a phishing attempt.
- Check the URL for any link in any email you receive. Make sure there’s no “data:text” or “<script ” or other imbedded http:// like urls that don’t look legit.
- If you do get hacked, change your gmail password IMMEDIATELY. In fact, change it regularly anyway, like at least monthly.
- Seriously consider configuring 2-step authentication for your google account.
Be careful out there! If you aren’t sure about an email, and you’re a Team Veritas client, give us a call. If you’re not a Team Veritas client, wouldn’t now be a good time to become one? You can subscribe to our Announce email list at http://www.teamveritas.com/cgi-bin/dada/mail.cgi/list/announce/ to get occasional tips and updates like this one as soon as they’re published.
See more about this hack at Tom Scott’s twitter, the Greggman blog, Y Combinator Hacker News, and one of my best sources Wordfence.