Gmail Phishing Scam
12“Security researchers have identified a “highly effective” phishing scam that’s been fooling Google Gmail customers into divulging their login credentials.
The scheme, which has been gaining popularity in the past few months and has reportedly been hitting other email services, involves a clever trick that can be difficult to detect.”
.
Don’t know if it’s better to paste the whole article, or just provide the link?
http://fortune.com/2017/01/18/google-gmail-scam-phishing/
- 6 comments, 20 replies
- Comment
A couple of points:
These have arrived in my inbox already tagged by GMail as spam. When I tried to open one of the e-mails, I got a warning notice from Google and was advised not to open the attachment.
It’s a bad, bad idea to go to a site by clicking a link in an e-mail (Sorry, Meh morning mail!) and especially so if it goes to a bank (or appears to do so) or any site that involves personal information and/or money. Even if the e-mail looks legitimate, I go to the referenced site via bookmarks rather than by clicking the link. (I’m just not the trusting type.)
@rockblossom - Smart. I figured most of the people here would not be duped, but according to the article it tricked some IT staff. Looks like Google is on top of it.
@rockblossom What if the link is telling me that I just won the Nigerian Lottery?
@daveinwarsh In that case, you might need the link to find out how to give them your bank account info.
@daveinwarsh - I guess that means you won’t be hanging out on meh for the discounts any longer?
@KDemo Yes. I’ll be just too stinking rich to shop here. I gave them all of my bank acct numbers & I’m waiting for the 75 trillion dollars to be deposited.
Any day now. …
@rockblossom This was way craftier than clicking a link to go to a site.
The bad guys would send you an email from someone that has you in their contacts, with subject matter and attachments that they have written about before. With that attachment they crafted an image that looks like an attachment in GMail. It links to a data URI containing what would appear to be GMail’s url and then way off to the side a Javascript to render a fake GMail login page. As soon as your credentials are passed, they would log in to your account (by bot or waiting humans, not sure) and do the same thing to your contacts.
It’s not perfect but it is pretty damn high tech compared to most of the phishing scams out there, and apparently quite effective. By sending you a realistic looking message from someone you know they bypass many people’s BS filters. If you’re not paying attention or don’t know better you could think your credentials had expired, and even if you were trained to look at the address bar, you could be fooled there as well. It was a big enough deal that the next release of Chrome will start warning “NOT SECURE” in the address bar for any site not using https.
More reading without bothersome ads: https://gist.github.com/timruffles/5c76d2b61c88188e77f6 and https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/
@djslack - Thank you for explaining in the technical language needed. And for the links, I checked the second one and they seem to be updating as needed.
@djslack Which is exactly why I don’t allow contact lists in any of my e-mail accounts.
added: But I can manage that because I’m retired. People who need tech to do their jobs can’t guard against all attacks and still be able to get things done.
@daveinwarsh But this is almost 4x times more than US national debt! Do you know that if you gave only 1/4 of your winnings to US you could instantly help Trump bring America back?
@KDemo Normally just post a summary, but for Forbes, you should post as much as you want because it’s such a pain there (the mandatory quote page, ad-block-blocker, etc).
@dashcloud - Thanks. Same for Fortune?
@KDemo Maybe? Can’t remember what Fortune is like.
The best thing to do is set up two-factor authentication (2FA) if possible, for all important accounts (banks, games, SSA.gov, etc.) and for any account that can be used to do password recovery of some other account (email).
Most implementations of 2FA allow for specific devices in trusted locations to bypass the 2FA, so it usually isn’t much of an annoyance to do this.
Of course, if you are one of those people who frequently loses their phone this may not work well for you. You may need to just accept the risk, unless you are willing to drop out of modern society.
@baqui63 and dropping out of modern society is a bad thing why?!
@Raider Aside from canibals why would that be a problem?
@Raider i don’t see a down side.
@baqui63 Exactly what I have done with Google account. If someone attempts to sign in with my username and password on a computer that is not already authorized, it will send me a text with a special code that needs to be entered.
The nice part about that feature is that I can get a list of all authorized devices and delete any of them at any time. So if I once had a device that I gave away to a friend, I remove that from the authorized list.
@Raider I never said that dropping out is a bad thing. Much of the time I wish that I could do this.
What @cengland0 said.
Hmm, interesting. Good thing I pretty much ignore all the emails I get. Though lately I have been getting some supposedly from a friend wanting to connect with me on LinkedIn. Which is weird. Because I don’t have a LinkedIn account.
@Mehsturbator that is a LinkedIN referral…or maybe it’s Wlad the Russian bear phishing you from the comfort of his Mom’s basement in Siberia…risky if you ask me
I used to get those requests and I didn’t/still don’t have an account there. I just kept marking them as spam (in Gmail) and they eventually stopped after a month or so. Still don’t know where they got that email address. I guessed it was from a job-finding site.
Along those lines, I just got an email with the salutation, “Hello, Walarney”. This is the only place I use that name. Kind of makes me wonder how they got my email address. Oh, wait. I used it to open an account at Steam to buy a gift card at Christmas. (Which turned out to be way too much hassle. Do they not like money?)
So two possible culprits. Better go check if my email is visible on a profile or something over there.
@walarney They sell Steam gift cards in stores at those gift card displays if you have them in your area. If that’s the only reason you have a Steam account, you could close it then.
I have 2-factor Auth set up on Google, and I have a horrible password that I hate typing in. If opening a PDF somehow took me to a page where I had to type in my PITA password, my alertness would be quickened with a quickness.