January 25th, 2017
What's the issue?
Reports of a very sophisticated phishing attack on Gmail accounts have surfaced and according to WordFence, the creator of a WordPress security plugin who uncovered this issue, even the most technical people have been duped by this attack. The scheme is very well thought out, produced with great attention to detail and the quality of the attack tools, the "tradecraft" as it is called in security circles, is exceptional.
How does it work?
First the cyber criminals access an already compromised email account to find their next victim, and also to collect information they can use for their attack. They will read the emails exchanged between the two contacts, looking for a topic of conversation and attachments to create their phishing email. The recipient of that phishing email will not suspect it since the email is coming from a familiar contact regarding a familiar topic including an attachment that they may have already seen. However, the attachment is not real, it is only an image of an attachment, so when the victim clicks to open it, it will instead open a Gmail login page asking them to sign in again. This login page is a fake and was crafted by the hackers to be indistinguishable from the real page including the URL. Experts have discovered that at the end of the URL is a script, which redirected the victim to the fake page so when they enter their credentials to sign in they are actually sending their password directly to the hackers.
Phishing attacks have been around long enough for us to know that you should always verify that the sender and the links you are clicking are real. These hackers have crafted around the finest details and clues of what even the most security conscious and trained people will be looking for when they are suspicious of an attack. They are pulling out all the stops and paying extra attention to the details to fool users into handing over their Gmail account password, to financially exploit what is in their email and then attack the victim's contact list.
What should I do?
By covering their tracks using information familiar to the victim and setting up a convincing trap, the hackers have made it very difficult for anybody to avoid being duped. The only way you can ensure that hackers won't get access into your account is by setting up two-factor authentication or using a password manager. With two-factor authentication it will require both a password and a verification code that is usually sent to your phone to sign in, so even if the hackers get a hold of your password, they won't be able to get access without the verification code. Another option is to use a password manager with a biometric fingerprint reader. Using a feature like Single Sign-On, your credentials will only be entered if the login page is exactly the same as one you have registered, preventing any phishing attacks using a fake login page even with hard to detect anomalies. If you suspect your account has been hacked, you should change your password immediately.
WordFence - Wide Impact: Highly Effective Gmail Phishing Technique Being Exploited
For more information:
TechCrunch - Gmail Now Has More Than 1B Monthly Active Users
NPC Power Feature - Secure Single Sign-On