Clever Gmail Targeting Phishing Email Discovered

Dermot SmythSecurity and Compliance Officer
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.

How it Works

fake gmail login screen- phishedThe attack works by targeting a victim’s contact list and sending out authentic looking phishing emails. When this forged email is opened and the attachment clicked, a page appearing to be the Google log in portal opens.

Once the victim submits their credentials into the site, the hackers start crawling the victim’s inbox. These crawlers look at previous subject lines and attachments for contextual relevance to copy.

A screenshot is taken of a previous attachment and a new message is composed. This screenshot becomes the entry way into the phishing Gmail login page. The subject line is then pulled from a previous email that would be relevant to the attachment.

The new version of the email is sent to all the victims contacts, and the attack starts again. The use of previous subject lines and attachment, help to make the hacker’s email look very genuine. This technique has tricked many users into opening the infected attachment.

One of these emails is described by a  commenter on Hacker News,

“[The hackers] went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.”

The impersonation of the victim and the familiarity of the subject tone help the phishing email to be trusted. The hacker’s concealment of the incorrect URL by using a data URL, furthers this trust.

Data URLs

data URL is file that,  “allows normally separate elements such as images and style sheets to be fetched in a single Hypertext Transfer Protocol (HTTP) request.” This permits the hackers to hide the entire code for the phishing landing page within the image attachment as well as display an authentic looking URL.

Data URL identified gmail phishing login scam
While a careful user may look at a website’s URL to ensure its validity; many may not notice the data URL has brought them to the phishing page instead. This highlights the importance of having a full stack email security service implemented within an organization.

google two step verification icons

How to Protect your Account

The best way to ensure your account is safe from these types of attacks is to have 2-Step verification turned on. This protects you as the hacker will only have the recorded password (first form of verification). Without both forms of verification the hacker will be unable to access the account.

Here is a link on how to turn on Google’s 2-Step Verification

The sophistication of this scam shows just how fast phishing techniques and attacks are advancing. The hackers are learning to be more effective and efficient and the users and services must keep up. To stay protected, users should ensure they are well educated on the newest phishing threats.

The losses from phishing and other business email compromise (BEC) scams have cost companies over $1.2 billion, according to the FBI. Want to make sure your employees can spot a phishing email before it cost you your business? Check out our Phishing Awareness Training page to learn more our simple and effective phishing user training program!


Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.