A Gmail phishing scam has been discovered that’s so realistic it’s even fooling people who would normally pride themselves on being security-savvy.
Discovered by a researcher at WordFence this particularly nasty scam looks real right up until the last minute making it incredibly hard to detect.
In this instance the scam tricks users into handing over their Gmail login details. Of course it’s not just your Gmail login details because once the criminal has the password they can access any of your Google services including Drive, Android Pay, YouTube and more.
So how does it work?
You will receive an email from a colleague or friend that contains a tailored subject line that makes sense to you.
There will be an attachment at the bottom that looks like either .pdf file or perhaps a document that you’re likely to open.
If you click on it, rather than opening the document it’ll lead to a Google account login page, except it isn’t a Google login page at all.
As you can see from the image above the deception is incredibly realistic, in fact even if you looked at the website address for the page you would see what appears to be a genuine Google URL.
As you can see from the URL there are some important pieces missing, and to be honest you would only know that if you knew what you were looking for.
For starters there’s no ‘https’, the signifier that the web page you’re on is secure and verified.
Secondly if you look to the very far right of the URL there is in fact a long line of code.
So what happens next? Well if you were unfortunate enough to enter your login details then we’ve got some bad news, they’re now in the hands of a hacker.
As one commenter on Hacker News points out, this is professional stuff.
“It’s the most sophisticated attack I’ve seen. The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.”
How can you protect yourself?
To be quite honest there is no way for a conventional virus checker to stop you from falling for this.
The only way to defend yourself is to be vigilant, if a friend or colleague sends you an attachment check it thoroughly before clicking on it. If you do click on it immediately check the web address and verify that it has taken you to a place that you expected to go to.
The only web address you should be seeing if you click on a Google or Gmail login link is this:
Google are apparently aware of the phishing scam and issued an official statement to WordFence containing the following:
“We’re aware of this issue and continue to strengthen our defenses against it. We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.”
Best Password Managers:
