When Gmail isn't what it seems to be
When Gmail isn't what it seems to be

Wordfence researchers spotted a new phishing campaign with a high success rate for compromising accounts targeting Gmail account.

The attacker sends an email to a victim's account that may come from someone you know who had previously had their account hacked in a similar manner, according to a 12 January blog post.

The phishing email may contain something that looks like the image of an attachment you would recognize from the sender. Once a victim clicks on the image instead of a preview of the attachments showing up, a new tab opens prompting them to log into their Gmail account.

At first glance, the URL for the new window contains accounts.google.com but upon further inspection one would notice the URL is a fraud. Once a user has entered their information into the phishing page attackers have access to a user's complete account and have been known to log into accounts immediately after getting the credentials. The technique has also been used to steal credentials from other platforms.

Researchers recommend users check their browser location bar, verify the protocol and hostname, and enable two-factor authentication to avoid compromise. Users can check their Gmail login history by clicking the “Details” button at the bottom right hand corner of their account pages, but researchers warned that there is no sure way to know and that users should change their passwords if they suspect compromise.

Some researchers said Google can help protect users from these kind of attacks is by making two factor authentication mandatory

“Two factor authentication is the cyber safety-belt that will thwart the vast majority of hacks that target users and their bad habits, such as clicking on suspect links or using the same password across multiple applications,” Corey Williams, senior director of products and marketing at Centrify, told SC Media.

“The sooner we all wake up to that fact, the sooner these hack headlines will subside. At some point, app providers such as Google should mandate the use of two factor authentication whenever it is technically possible.”

Christian Lees, chief information security officer at InfoArmor, agreed on a similar approach and told SC that threat actors have extreme creativity and time in their favour when it comes to the never-ending campaigns available to compromise user accounts.

“Applying several layers of security – much like enterprise organisations commonly use today – is not difficult to achieve,” Lees said.

“This level of sophisticated phishing attack has the potential to fool even the savviest of users,” Robert Capps, vice president of Business Development at NuData Security, told SC. “It's a sad reality that users must maintain their vigilance online by assuming we're all working and playing in a hostile environment."

Bryan Burns, vice president of Threat Research at Proofpoint said there's nothing new about Gmail/gdocs phishing, which is also prevalent in Office 365, Dropbox and Drive.

“This attack suggests attackers are finding it easier to trick people than machines,” said Burns. “Based on the prevalence of macro-based downloaders for large-scale campaigns (like those used to deliver Locky ransomware), and the increase in business email compromise-type attacks, it seems likely that credential phishing will continue to be a dominant threat vector.”

SC Media attempted to reach Google for comment but have yet to receive a response.