Hackers have launched a new phishing attack that is tricking even tech-savvy users. Here is what you need to know in order to protect yourself.
The attack works like this: Hackers who have breached someone's email account look through the emails in it for correspondence containing attachments. They then send emails from the compromised account -- impersonating the account's owner -- with each email leveraging similarities to prior correspondence, so as to make the new messages seem legitimate and familiar. For example, the phishing emails may use a subject line that was used in the past.
The hackers embed an image of an attachment used in the past into each phishing email, but configure the image to open not the attachment but, rather, a phishing page that looks like a Google login. Because the user is opening a Gmail attachment, the presentation of a phony Gmail login page does not seem alarming -- especially when the person opening the attachment feels that he or she has been viewing a "safe and familiar" correspondence. Of course, once the new victim enters credentials into the phony Google login page the criminals utilize them to access their victim's account. The attack has likely been going on for about a year with increasing intensity.
How can you stay safe?
What do others in the information security industry have to say about the Gmail scam?
John Gunn, VP of communications, VASCO Data Security
"As attack methods become more sophisticated -- as this attack demonstrates -- defenses must keep pace or the number of victims will continue to grow. Passwords are 30-year old technology and they merely provide a false sense of security with no real protection. 2017 must be the year that the industry replaces passwords with multi-factor authentication."
Christian Lees, CISO, InfoArmor
"Threat actors have extreme creativity and time in their favor when it comes to the never-ending campaigns available to compromise user accounts. Applying several layers of security -- much like enterprise organizations commonly use today -- is not difficult to achieve. It requires: 1) Utilizing modern identity theft monitoring programs that enable users to monitor for breached credentials that likely offer threat actors passage into the compromised account, allowing them to quickly change credentials; and 2) Enabling two-factor authentication to detour the threat actor's access into the compromised account. This step additionally safeguards unsuspecting victims that may spawn from the compromised account."
Balázs Scheidler, co-founder and CTO, Balabit
"Phishing techniques are improving and can be so elaborate that they can scam even tech-savvy people such as privileged users, who have access to sensitive corporate assets. Should such an account be compromised, attackers can cause a lot of damage. Clearly, holding the credential for an account may not be enough to ensure that the logged-in user is indeed the legitimate user. The actual user's behavior is the one thing that helps security professionals discover misused accounts by automatically spotting behavioral differences between an intruder and a legitimate user's baseline. Behavior analytics can identify exactly those cases where malicious actors use stolen credentials, and can prevent resulting data breaches."
Bert Rankin, CMO, Lastline
"Unfortunately, constantly evolving and improving phishing attacks are now a way of online life for all of us. For those enterprise IT administrators with the mission of protecting the organization, educating employees is not enough. It can sometimes take just one accidental, well-meaning click on a malicious email to inflict irreversible damage to the whole organization. In addition to employee education and awareness about how phishing attacks work and how to identify a suspicious email, it is an imperative that IT put filtering mechanisms in place that use technology -- not people -- to sort, test and eliminate such malicious emails before they even have a chance to test the eyes of the employees."
Jeff Hill, director of product management, Prevalent
"Today's disturbing reality is that there is no effective defense for a well-conceived phishing attack. Reliance on email communication, the sheer volume of it, and the frenetic pace of life combine to create a superbly fertile environment for cyber attackers to exploit. The challenge is to detect the intrusion quickly after the inevitably successful phishing attack, shut it down, and make it very difficult for bad actors to access sensitive information in the interim even if they gain access the network."