Wide Impact: Highly Effective Gmail Phishing Technique Being Exploited<\/h1>\n
This entry was posted in General Security<\/a>, Miscellaneous<\/a> on January 12, 2017 by Mark Maunder<\/a>\u00a0\u00a0\u00a0151 Replies<\/a><\/p>\n<\/div>\n Update at 11:30pm on Tuesday January 17th:\u00a0<\/strong>I have received an official statement from Google regarding this issue. You can find the full update at the end of this post<\/a>.<\/p>\n As you know, at Wordfence we occasionally send out alerts about security issues outside of the WordPress universe\u00a0that are urgent and have a wide impact on our customers and readers. Unfortunately this is one of those alerts. There is a highly effective phishing technique stealing login credentials that is having a wide impact, even on experienced technical users.<\/p>\n I have written this post to be as easy to read and understand as possible. I deliberately left out technical details and focused on what you need to know to protect yourself against this phishing attack and other attacks like it in the hope of getting the word out, particularly among less technical users. Please share this once you have read it to help create awareness and protect the community.<\/p>\n A new highly effective phishing technique targeting Gmail and other services has been gaining popularity during the past year among attackers. Over\u00a0the past few weeks there have been reports of experienced technical users being hit by this.<\/p>\n This attack is\u00a0currently being used to target Gmail\u00a0customers and is also targeting other services.<\/p>\n The way the attack\u00a0works is that an attacker will send an email to your Gmail account. That email may come from someone you know who has had their account hacked using this technique. It may also include something that looks like an image of an attachment you recognize from the sender.<\/p>\n You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail\u00a0to sign in again. You glance at the location bar and you see\u00a0accounts.google.com<\/strong> in there. It looks like this\u2026.<\/p>\n You go ahead and sign in on a fully functional sign-in page that looks like this:<\/p>\n Once you complete\u00a0sign-in, your account has been compromised.\u00a0A commenter on Hacker News<\/a> describes in clear terms what they experienced over the holiday break once they signed in to the fake page:<\/p>\n \u201cThe attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.<\/em><\/p>\n For example, they went into one student\u2019s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.<\/em>\u201d<\/p>\n The attackers signing into your account happens very quickly. It may be automated or they may have a team standing by to process accounts as they are compromised.<\/p>\n Once they have access to your account, the\u00a0attacker also has full access to all your emails including sent and received at this point and may\u00a0download the whole lot.<\/p>\n Now that they control your email address, they could also compromise a wide variety of other services that you use by using the password reset mechanism\u00a0including other email accounts, any SaaS services\u00a0you use and much more.<\/p>\n What I have described above is a phishing attack that is used to steal usernames and passwords on Gmail. It is being used right now with a high success rate. However, this technique can be used to steal credentials from many other platforms with many variations in the basic technique.<\/p>\n You have always been told: \u201cCheck the location bar in your browser to make sure you are on the correct website before signing in. That will avoid phishing attacks that steal your username and password.\u201d<\/em><\/p>\n In the attack above, you did exactly that and saw\u00a0\u2018accounts.google.com<\/strong>\u2018 in the location bar, so you went ahead and signed in.<\/p>\n To protect yourself against this you need to change\u00a0what you are checking<\/strong> in the location bar.<\/p>\n This phishing technique uses something called a \u2018data URI\u2019 to include a complete file in the browser location bar. When you glance up at the browser location bar and see \u2018data:text\/html\u2026..\u2019 that is actually a very long string of text. If you widen out the location bar it looks like this:<\/p>\n There is a lot of whitespace which I have removed. But on the far right you can see the beginning of what is a very large chunk of text. This is actually a file that opens in a new tab and creates a completely functional fake Gmail login page which sends your credentials to the attacker.<\/p>\n As you can see on the far left of the browser location bar, instead of \u2018https\u2019 you have \u2018data:text\/html,\u2019 followed by the usual \u2018https:\/\/accounts.google.com\u2026.\u2019. If you aren\u2019t paying close attention you will ignore the \u2018data:text\/html\u2019 preamble and assume the URL is safe.<\/p>\n You are probably thinking you\u2019re too smart to fall for this<\/strong>. It turns out that this attack has caught, or almost caught several technical users who have either\u00a0tweeted<\/a>,\u00a0blogged<\/a>\u00a0or commented<\/a> about it. \u00a0There is a specific reason why this is so effective that has to do with human perception. I describe that in the next section.<\/p>\n When you sign in to any service, check the browser location bar and verify the protocol, then verify the hostname.\u00a0<\/strong>It should look like this in Chrome when signing into Gmail or Google:<\/p>\n Make sure there is nothing before the hostname \u2018accounts.google.com\u2019 other than \u2018https:\/\/\u2019 and the lock symbol. You should also take special note of the green color and lock symbol that appears on the left. If you can\u2019t verify the protocol and verify the hostname, stop<\/strong> and consider what you just clicked on to get to that sign-in page.<\/p>\n Enable two factor authentication\u00a0<\/strong>if it is available on every\u00a0service that you\u00a0use. GMail calls this \u201c2- step verification\u201d and you can find out how to enable it on this page<\/a>.<\/p>\n Enabling two factor authentication makes it much more difficult for an attacker to\u00a0sign into a service that you use, even if they manage to steal your password using this technique. I would like to note that there is some discussion<\/a> that indicates even two factor authentication may not protect against this attack. However I have not seen a proof of concept, so I can not confirm this.<\/p>\n Google\u2019s response<\/a> to a customer asking about this was as follows:<\/p>\n \u201cThe address bar remains one of the few trusted UI components of the browsers and is the only one that can be relied upon as to what origin are the users currently visiting. If the users pay no attention to the address bar, phishing and spoofing attack are \u2013 obviously \u2013 trivial. Unfortunately that\u2019s how the web works, and any fix that would to try to e.g. detect phishing pages based on their look would be easily bypassable in hundreds of ways. The data: URL part here is not that important as you could have a phishing on any http[s] page just as well.\u201d<\/em><\/p>\n This is likely a junior person within the organization based on the grammatical errors. I disagree with this response for a few reasons:<\/p>\n Google have modified the behavior of the address bar in the past to show a green protocol color when a page is using HTTPS and a lock icon to indicate it is secure.<\/p>\n They also use a different way of displaying the protocol\u00a0when a page is insecure, marking it red with a line through it:<\/p>\n During this attack, a user sees neither green nor red. They see ordinary black text:<\/p>\n That is why this attack is so effective.\u00a0In user interface design and in human perception, elements that are connected by uniform visual properties are perceived as being more related than elements that are not connected.\u00a0<\/em>[Read more:\u00a0Gestalt principles of human perception and \u2018uniform connectedness\u2019<\/a>\u00a0and Content Blindspots<\/a>]<\/p>\n \u00a0<\/em>In this case the \u2018data:text\/html\u2019 and the trusted hostname\u00a0are the same color. That suggests to our perception that they\u2019re related and the \u2018data:text\/html\u2019 part either doesn\u2019t matter or can be trusted.<\/p>\n What Google needs to do in this case is change the way \u2018data:text\/html\u2019 is displayed in the browser. There may be scenarios where this is safe, so they could use an amber color with a unique icon. That would alert our perception to a difference and we would examine it more closely.<\/p>\n I\u2019ve had two requests in the comments about this so I\u2019m adding this section now. (at 9:39am Pacific time, 12:39am EST).<\/p>\n There is no sure way to check if your account has been compromised. If in doubt, change your password immediately. Changing your password every few months is good practice in general.<\/p>\n If you use GMail, you can check your login activity to find out of someone else is signing into your account. Visit https:\/\/support.google.com\/mail\/answer\/45938?hl=en<\/a> for info. To use this feature, scroll to the bottom of your inbox and click \u201cDetails\u201d (very small in the far lower right hand corner of the screen). This will show you all currently active sessions as well as your recent login history. If you see active logins from unknown sources, you can force close them. If you see any logins in your history from places you don\u2019t know, you may have been hacked. [Thanks Ken<\/a>, I pasted your comment in here almost verbatim. Very helpful.]<\/p>\n There is a trustworthy site run by Troy Hunt who is a well known security researcher where you can check if any of your email accounts have been part of a data leak. Troy\u2019s site is\u00a0https:\/\/haveibeenpwned.com\/<\/a>\u00a0and it is well known in security circles. Simply enter your email address and hit the button.<\/p>\n Troy aggregates data leaks into a database and gives you a way to look up your own email in that database to see if you have been part of a data breach. He also does a good job of actually verifying the data breaches he is sent.<\/p>\n I\u2019ll be sharing this on Facebook to create awareness among my own family and friends. This attack is incredibly effective at fooling even technical users for the reasons I have explained above. I have the sense that most ordinary users will be easy pickings. Please share this with the community to help create awareness and prevent this from having a wider impact.<\/p>\n Mark Maunder \u2013 Wordfence Founder\/CEO \u2013 @mmaunder<\/a> This is an update at 11:30pm PST on Tuesday the 17th of January 2017. I was contacted by Aaron Stein from Google Communications. He has provided the following official statement from Google:<\/p>\n \u201cWe\u2019re aware of this issue and continue to strengthen our defenses against it. We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.<\/em>\u201d …<\/p>\n Read the entire article here.<\/a><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":" New Phishing Scam\u00a0Targeting Gmail Users No matter what you read, this is nothing like what happened to Yahoo users! We are publishing this because the news is spreading like wildfire today about serious phishing scam\u00a0targeting Gmail users. And undoubtedly, you’re going to hear people who don’t know what they’re talking about comparing this to recent Yahoo troubles. This\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1461,1433,1678,1656],"tags":[],"_links":{"self":[{"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/posts\/12234"}],"collection":[{"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/comments?post=12234"}],"version-history":[{"count":3,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/posts\/12234\/revisions"}],"predecessor-version":[{"id":12237,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/posts\/12234\/revisions\/12237"}],"wp:attachment":[{"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/media?parent=12234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/categories?post=12234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thundercloud.net\/infoave\/new\/wp-json\/wp\/v2\/tags?post=12234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}The\u00a0Phishing Attack: What you need to know<\/h1>\n
![\"\"](\"https:\/\/www.wordfence.com\/wp-content\/uploads\/2017\/01\/dataURI.png\")
<\/p>\n![\"GMail](\"https:\/\/www.wordfence.com\/wp-content\/uploads\/2017\/01\/gmail-data-URI-sign-in-page.png\")
<\/p>\nHow to protect yourself against this phishing attack<\/h1>\n
<\/p>\n![\"GMail](\"https:\/\/www.wordfence.com\/wp-content\/uploads\/2017\/01\/gmail-phishing-data-uri-showing-script.png\")
<\/p>\nHow to protect yourself<\/h2>\n
![\"Gmail](\"https:\/\/www.wordfence.com\/wp-content\/uploads\/2017\/01\/GMail-phishing-secure-accounts.google.com-data-uri.png\")
<\/p>\nWhy Google won\u2019t fix this and what they should do<\/h1>\n
<\/p>\n![\"\"](\"https:\/\/www.wordfence.com\/wp-content\/uploads\/2017\/01\/phishing-chrome-certificate-warning.png\")
<\/p>\n<\/p>\nUpdate: How to check if your account is already compromised<\/h1>\n
Spread the word<\/h1>\n
\n<\/a><\/p>\nUpdate: Official Statement from Google<\/h1>\n