A new phishing scam is tricking even the savviest Gmail users into giving up their account credentials. Here are the details:
Phishers start with a compromised Gmail account. They skim through recent emails targeting one with an attachment. Once they find an email that fits their criteria, they create a screenshot and include it in a reply email to the sender.
The original sender receives the reply with the same subject line, thinking it’s a normal response. The sender clicks on the image, expecting to get a preview of the attachment.
However, instead of a preview, a new tab opens and the user is prompted to sign into their Gmail account again on the new webpage. This fake page is a well-designed replica of Gmail’s login page.
To make it hard to identify as a phishing webpage, attackers include the accounts.google.com subdomain in the URL. This makes users think it’s a legitimate Google webpage. But looking at the address bar shows that before the https there’s a text string, ‘data:text/html…’ that opens the fake, but functional, Gmail login webpage.
If an attack is successful, and a victim enters their login credentials, attackers sign into the account and start the process over again with the new account and new contacts.
Another twist on this type of phishing attack will direct users to click a link that will allow the document to be viewed through Dropbox. Similar to the fake Gmail login page, users are taken to a webpage that allows them to view the document after they’ve signed in using their email credentials.
Once they enter the email credentials, victims are shown a decoy PDF document to divert any attention away from the phishing attack.
Obviously, this attack can lead to compromised Gmail accounts and provide a gateway to plenty of further attack methods. With the widespread reuse of password across multiple accounts, this type of attack can lead to enterprise emails becoming compromised.
If an attacker gets the login credentials to an executive’s Gmail account, chances are they can use the same password to access the executive’s corporate email account as well. Give the attacker a bit of time to gather information on the executive and their communication methods, and they will be conducting successful business email compromise attacks before you know it!
Email & Password Reuse
PhishLabs reports that phishing volume increased by 33% across the five most-targeted industries. The largest jump was seen in the phishing attacks directed towards cloud storage providers. Attackers are targeting these types of services in order to harvest their troves of email address and password pairs.
This ties back to the account reuse attacks with cyber criminals recycling those stolen credentials in the enterprise arena. Any organization relying on email addresses and passwords to authenticate users could be impacted by these indirect phishing attacks.
The common trend is the reliance on email addresses instead of unique usernames for authentication purposes. And due to the high frequency of password reuse, stolen credentials from a cloud service provider may inadvertently give attackers access to multiple accounts.
These types of phishing attacks demonstrate the importance of implementing two-factor authentication with online accounts. While the password is still the top choice for authenticating users online, having that extra layer of defense can be the difference to a compromised account.