1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Gmail phishing scam

Discussion in 'BlackHat Lounge' started by The Scarlet Pimp, Jan 19, 2017.

  1. The Scarlet Pimp

    The Scarlet Pimp Senior Member

    Joined:
    Apr 2, 2008
    Messages:
    884
    Likes Received:
    3,324
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    Heads up, Gmail users: a new phishing attack is making the rounds and it's fooling even technically-savvy, security-conscious users.

    The ruse aims to steal usernames and passwords for Gmail and other services, and "is being used right now with a high success rate," according to Mark Maunder, CEO of WordPress security plugin Wordfence, who described the campaign in detail. Like other phishing attacks, this one starts with an email. Instead of a random person, the email may appear to have been sent by someone you know, and it may include an image of an attachment you recognize from the sender.

    "You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again. You glance at the location bar and you see accounts.google.com in there," Maunder wrote.

    Once you sign in, the attackers have full access to your account.

    Google did not immediately respond to PCMag's request for comment, but told Maunder it is aware of the issue and is working to improve its defenses against it.

    "We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection," Aaron Stein from Google Communications told Maunder.

    Once the attacker gains access to your account, they immediately log in and find one of your actual attachments, plus one of your actual subject lines, and send it to people on your contact list to further the scam and compromise more accounts. Maunder said the attackers have either automated the scheme, or they have "a team standing by to process accounts as they are compromised."

    "Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot," he warned. "Now that they control your email address, they could also compromise a wide variety of other services that you use by using the password reset mechanism."

    Maunder said some have said the attack can even bypass two-factor authentication, though he has not been able to confirm this claim. As Google notes in its statement, it's still a good idea to have two-factor authentication enabled, as it makes your account much harder to crack. Click here for information on how to do that.

    To protect yourself against this attack, Maunder said you will need to pay close attention to your browser's location bar when you're signing into Gmail. The location bar should read "https://accounts.google.com…." and if you see this and only this, you should be good to go. In this attack, the address in the location bar will include "data:text/html," before the usual "https://accounts.google.com….".

    Maunder noted that "there is no sure way to check if your account has been compromised" by this attack. If you think you might have fallen victim, change your password right away. In Gmail, you can check your login activity to see if someone else has logged into your account:

    http://www.foxnews.com/tech/2017/01/18/dont-fall-for-this-sophisticated-gmail-phishing-scam.html
     
    • Thanks Thanks x 1
  2. umerjutt00

    umerjutt00 Jr. VIP Jr. VIP

    Joined:
    Oct 28, 2011
    Messages:
    3,908
    Likes Received:
    2,168
    Occupation:
    Ninja
    How come "accounts.google.com" is present at the address bar when its a domain controlled by the phishing guy? I think it would be more like a sub-domain like accounts.google.com.seomething.com.

    Right?
     
  3. mynameisfrankenstein

    mynameisfrankenstein Regular Member

    Joined:
    Apr 2, 2015
    Messages:
    431
    Likes Received:
    346
    Gender:
    Male
    Location:
    BC, Canada
    Made a thread about this a few days ago. Really clever stuff.
     
    • Thanks Thanks x 1
  4. Jared255

    Jared255 Jr. Executive VIP Jr. VIP Premium Member

    Joined:
    May 10, 2009
    Messages:
    2,005
    Likes Received:
    1,912
    Location:
    Boston, MA
    There was a comment in the last thread: the "data/text" part says to pull data from the URL bar, then after accounts.google.com there are a bunch of spaces, then some stuff that tells it to ignore that part of the address bar. You can't see what's after the spaces unless you have a large monitor which is what it pulls from. I think. Definitely clever, I have seen about 10 "wow watch out for this epic phishing scam" threads here and this was the only one that I was impressed by
     
    • Thanks Thanks x 1
  5. JV1999

    JV1999 Power Member

    Joined:
    Sep 4, 2016
    Messages:
    669
    Likes Received:
    186
    Gender:
    Male
    I'm with everyone else LOL I'm like so impressed and scared at the same time! I'm one of those people who rolls his eyes and sighs loudly in annoyance when I hear about people falling for phishing scams. I always scream in my head, "HOW HARD IS IT TO UNDERSTAND NEVER TO GIVE YOUR PASSWORD TO ANYONE?"

    And then I read this. Dude, I WOULD HAVE TOTALLY fallen for this (if not so already?) I remember countless of times Gmail asked me to login again when I tried to open something -- it's happened in the past. I'm now wondering if maybe I had fallen for a phishing scam like this.

    But this thing is like flawless. You're trying to view the attachment, so you click on it, and it opens a new tab / window with a flawless gmail login... like I wouldn't have seen anything wrong with that at all. I wouldn't have even looked at the address bar tbh. I would've written it off as Google being annoying with its authentication procedures.

    But if I HAD looked at the address bar, HOW COULD I NOT fall for it? It says data:text/html: http://accounts.google

    I would have written that off as some code jargon in google's server.

    Flawless phishing scam. Tbh, the hackers should have not exploitd shit. They should have just let it take its course until they gathered a massive billion accounts or something wild like that, then in one fell swoop, on one very deadly night, they go to town. It's like a million dollar job...

    But I guess they got greedy and took advantage way too early. Now they only get thousands instead of millions.