Hackers have launched a new phishing attack that is tricking even tech-savvy users. Here is what you need to know in order to protect yourself.

The attack works like this: Hackers who have breached someone's email account look through the emails in it for correspondence containing attachments. They then send emails from the compromised account -- impersonating the account's owner -- with each email leveraging similarities to prior correspondence, so as to make the new messages seem legitimate and familiar. For example, the phishing emails may use a subject line that was used in the past.

The hackers embed an image of an attachment used in the past into each phishing email, but configure the image to open not the attachment but, rather, a phishing page that looks like a Google login. Because the user is opening a Gmail attachment, the presentation of a phony Gmail login page does not seem alarming -- especially when the person opening the attachment feels that he or she has been viewing a "safe and familiar" correspondence. Of course, once the new victim enters credentials into the phony Google login page the criminals utilize them to access their victim's account. The attack has likely been going on for about a year with increasing intensity.

How can you stay safe?

  1. Always think twice before entering login credentials -- ask yourself why you are being asked for them. If you are already reading Gmail, why all of a sudden are you being asked for your Gmail credentials?
  2. Do not log in to sites via log-in pages generated by clicking links. For any site on which you will enter sensitive information, always reach it by entering its URL into the Web browser.
  3. To get the attachment to open a phony Google login page, hackers use a data:text URL -- beginning something like "data:text/html,https://accounts.google.com/." While that may appear to be related to Google, any URL that starts data:text is not a link to a website but rather content to be displayed locally. Never enter passwords or other sensitive information into any webpage with a data:text URL.
  4. Enable multi-factor authentication. If somehow you fall prey to a Gmail phsihing attack and give criminals your log-in name and password, multi-factor authentication will continue to protect your account. Without access to your phone, for example, criminals would be unlikely to be able to access your email even if they know your password.
  5. Businesses worried about similar types of attacks should consider deploying anti-phishing technology. Green Armor's Identity Cues (which I co-invented), for example, helps ensure that a real log-in page looks different for every user and can only be generated by legitimate Web servers. Technology of that sort would make it obvious to users -- consciously or subconsciously -- that the bogus log-in page is illegitimate.
  6. Do not rely on warnings by Web browsers: The red warning used on insecure web pages, the certificate warnings used for invalid certificates, and the "unsafe site" message may not appear for data:text URLs. (Web browser companies should change this -- any data URL should display a warning.)

What do others in the information security industry have to say about the Gmail scam?

John Gunn, VP of communications, VASCO Data Security

"As attack methods become more sophisticated -- as this attack demonstrates -- defenses must keep pace or the number of victims will continue to grow. Passwords are 30-year old technology and they merely provide a false sense of security with no real protection. 2017 must be the year that the industry replaces passwords with multi-factor authentication."

Christian Lees, CISO, InfoArmor

"Threat actors have extreme creativity and time in their favor when it comes to the never-ending campaigns available to compromise user accounts. Applying several layers of security -- much like enterprise organizations commonly use today -- is not difficult to achieve. It requires: 1) Utilizing modern identity theft monitoring programs that enable users to monitor for breached credentials that likely offer threat actors passage into the compromised account, allowing them to quickly change credentials; and 2) Enabling two-factor authentication to detour the threat actor's access into the compromised account. This step additionally safeguards unsuspecting victims that may spawn from the compromised account."

Balázs Scheidler, co-founder and CTO, Balabit

"Phishing techniques are improving and can be so elaborate that they can scam even tech-savvy people such as privileged users, who have access to sensitive corporate assets. Should such an account be compromised, attackers can cause a lot of damage. Clearly, holding the credential for an account may not be enough to ensure that the logged-in user is indeed the legitimate user. The actual user's behavior is the one thing that helps security professionals discover misused accounts by automatically spotting behavioral differences between an intruder and a legitimate user's baseline. Behavior analytics can identify exactly those cases where malicious actors use stolen credentials, and can prevent resulting data breaches."

Bert Rankin, CMO, Lastline

"Unfortunately, constantly evolving and improving phishing attacks are now a way of online life for all of us. For those enterprise IT administrators with the mission of protecting the organization, educating employees is not enough. It can sometimes take just one accidental, well-meaning click on a malicious email to inflict irreversible damage to the whole organization. In addition to employee education and awareness about how phishing attacks work and how to identify a suspicious email, it is an imperative that IT put filtering mechanisms in place that use technology -- not people -- to sort, test and eliminate such malicious emails before they even have a chance to test the eyes of the employees."

Jeff Hill, director of product management, Prevalent

"Today's disturbing reality is that there is no effective defense for a well-conceived phishing attack. Reliance on email communication, the sheer volume of it, and the frenetic pace of life combine to create a superbly fertile environment for cyber attackers to exploit. The challenge is to detect the intrusion quickly after the inevitably successful phishing attack, shut it down, and make it very difficult for bad actors to access sensitive information in the interim even if they gain access the network."

Published on: Jan 18, 2017