Gmail users in recent months have been targeted by a sophisticated series of phishing attacks that use emails from a known contact whose account has been compromised. The emails contain an image of an attachment that appears to be legitimate, according to Wordfence.
The sophisticated attack displays “accounts.gmail.com” in the browser’s location bar and leads users to what appears to be a legitimate Google sign-in page where they are prompted to supply their credentials, which then become compromised.
The technique works so well that many experienced technical users have fallen prey to the scam, noted Mark Maunder, CEO of Wordfence. Many have shared warnings on Facebook to alert family and friends, given that the technique has exploited otherwise trusted contacts so successfully.
Google has been aware of the issue at least since mid-January, based on comments from Google Communications’ Aaron Stein, which WordPress characterized as an “official statement” from the company.
Google was continuing to strengthen its defenses, Stein said, adding that it was using machine learning-based detection of phishing messages, safe browsing warnings of dangerous links in emails, and taking steps to prevent suspicious sign-ins.
Users could take advantage of two-factor authentication to further protect their accounts, he suggested.
Wordfence last month noted that Google Chrome released 56.0.2924, which changes the behavior of the browser’s location bar. The change results in the display of not secure messages when users see a data URL.
Google last month announced additional steps to protect G Suite customers against phishing, using Security Key enforcement. The technique helps administrators protect their employees using only security keys as the second factor.
Bluetooth low energy Security Key support, which works on Android and iOS mobile devices, is another user option.
Recent changes in Chrome and Firefox browsers have mitigated some of these types of attacks, observed Patrick Wheeler, director of threat intelligence at Proofpoint.
However, a variety of techniques are used to target users, he pointed out.
They recently have used PDFs to make it appear that users already are logged onto Google Docs — then users are prompted for a login when they move the mouse over the PDF.
Attacks such as these are a type of cat-and-mouse game in the sense that attackers will find more sophisticated entry points as cyberdefense methods improve, noted Javvad Malik, security associate at AlienVault.
“This shows the increasing maturity of cybercriminals,” he told TechNewsWorld. “As they become more organized and better funded, mainly through the proceeds of crime, they can invest time and resources into tweaking attack methods to become more effective.”
Attacks like phishing and social engineering are among the most common methods of entry, according to Sam Elliott, director of security product management at Bomgar.
Attacks like these often target privileged users with access to sensitive data, he said.
“While companies are aware of this, providing security around these types of users without limiting their ability to do their jobs effectively is difficult,” Elliott told TechNewsWorld.
Defining “privileged user” poses additional challenges for companies, even those with sophisticated security protocols, he added.
Despite the challenges it poses, “like any phishing scam, this one has a limited lifespan,” observed Mark Nunnikhoven, vice president for cloud research at Trend Micro.
“Because it impacts a very specific audience, there’s also a central point to prevent this scam,” he told TechNewsWorld.
Google likely will deploy image recognition and URL filtering to prevent this campaign from continuing, Nunnikhoven said.
Google did not respond to our request to comment for this story.