Gmail users face an account hacking technique that is so simple even highly experienced users are fooled by it. Mark Maunder, who is the CEO of the Wordpress security program Wordfence, says that as is common with phishing, the scenario begins with a user who receives an email that contains an attachment. That’s when everything takes a completely different turn with this clever phishing scheme because even sophisticated Gmail users who would not normally fall victim to a phishing scheme are being hacked.
What makes this phishing so effective is that the email may likely come from someone users know whose Gmail account has already been hacked so that it can look benign. To make things worse, it may look like a legitimate attachment from the sender. When Gmail users click on the attachment to open it in a preview tab, a second tab, which looks like a legitimate Gmail account sign in at first blush, requests the users to log back into Gmail to preview the attachment.
The second tab appears to look exactly like a Gmail and Google account login. As soon as the sign in in the new tab is completed, the hackers have the Gmail users’ login information, and the hack is started. Maunder also quotes a hacker news site for a great example.
“The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.
“For example, they went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.”
What isn’t known is how the hacks are accomplished so quickly. Maunder speculates that as soon as Gmail users log in to the compromised tab, either a team is standing by to initiate the hack, or it is automated. Either way, the hack begins almost immediately and sends emails out to the Gmail users’ contacts.
Most savvy Gmail clients already know to check the address bar in their web browsers to determine if the address is correct. Unfortunately, the hackers in this scenario were able to replicate the appearance of the Google accounts login page in the address bar. There is a way for clients to change the information that they view to double check for an accurate representation of where the address leads. Maunder explains that the key lies in the web address that users see.
“Make sure there is nothing before the hostname ‘accounts.google.com’ other than ‘https://’ and the lock symbol. You should also take special note of the green color and lock symbol that appears on the left. If you can’t verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page.”
Gmail users can check the Google page to set up a two-step verification process as well, which Maunder strongly recommends. Setting up a two-step verification process means that a hacker will not be able to take the users’ passwords and automatically begin phishing with those contact lists. Google states that it is impossible to weed out hacker sites as a way to mitigate these kinds of attacks, as hackers could immediately come up with “hundreds” of work-around strategies to defeat any filters.
For now, Gmail users are urged to always be careful to check the address of the pages that open on attachments. It is also recommended that users enable the two-step verification system. While this may not prevent the phishing hackers from getting a password, it will make it harder for a hacker to use those users’ accounts once they have been hacked.
[Featured Image by Matt Cardy/Getty Images]