The scam tricks users into giving their Google login details and doesn’t appear to trigger Google’s HTTPS security warnings
Millions of Gmail users could be at risk from one of the most sophisticated phishing scams ever seen.
The scam tricks users into giving their Google login details and is considered so advanced it has even fooled IT experts.
The fake email can come from contacts in the recipient’s own address book and uses image attachments that look like a PDF file.
When you click on the attachment, you are directed to phishing pages, disguised as the Google sign-in page.
The user is then asked to enter their details allowing the attacker to sift through their messages.
A further concern is that the phishing pages do not appear to trigger
The scam was discovered by Mark Maunder, CEO of Wordfence, for WordPress, who admitted it was even fooling “experienced technical users.”
Writing on Wordfence, Mr Maunder said: “Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot.
“Now that they control your email address, they could also compromise a wide variety of other services that you use by using the password reset mechanism including other email accounts, any SaaS services you use and much more.”
An IT teacher also explained on Hacker News how the scam had affected their school system.
He wrote: “We got hit by this hard right before the holiday break.
“Three employees and a handful of students all got hit by the attack within a two hour period.
“It’s the most sophisticated attack I’ve seen.
How to avoid phishing attacks
- Enable a two-factor authentication, and keep a look out for the prefix ‘data:text/html’ in the browser location bar – a sign of a fake web page.
- If you get an email from a site asking for personal information don’t click any links or provide personal information until you’ve confirmed it’s safe
- When you get an email that looks suspicious check the address and the sender name match
- Check if the email is authenticated
- Hover over any links before you click on them – if the URL of the link doesn’t match the description of the link, it might be leading you to a phishing site.
- Check the message headers to make sure the “from” header isn’t showing an incorrect name.