Phishing continues to get more sophisticated. Recently, we’ve seen several sophisticated phishing attacks attempting to harvest a target’s Gmail credentials. Below, we’ll do a quick breakdown of each one, and how you can continue to protect yourself in the future. While the attack examples below were targeted at Gmail accounts, these can easily be used across many different platforms as well.
Phishing by Obfuscation
The following sophisticated phish has been making the rounds. Like any other phish, it may appear to come from a trusted person (or may actually be coming from a trusted person who has been hacked) and usually contains an image of an attachment that you’d want to view. Many of us know to be wary and to check the URL before entering credentials right? Well, in this case, it’s not so cut-and-dried and is successfully fooling users knowledgeable in phishing attacks.
Mark Maunder of Wordfence explains how this is managing to fool even tech-savvy users. You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again. You glance at the location bar and you see accounts.google.com in there. It looks like this….
During a hectic day, on a mobile device, or to someone distracted at the time; a quick glance at the URL doesn’t give off the normal red-flags. There is no not-secure warning before the address, which usually alerts on any non-SSL site. Also, it doesn’t appear to be pointing to a fake URL such as security-google.com.
Once you’ve logged in, you’re presented with an actual document, but your account credentials have been compromised. What many missed when they saw the Gmail login page was the obfuscated code that opens up the credential harvesting page. If a user were to view the full URL (by scrolling past all the white space) they would see it was not a legitimate login page.
Phishing by Building Rapport
Recently, another similar phishing attack is stealing credentials through another fake Gmail login page. The difference is that these phishes are more targeted, and the assailant built a rapport with the target prior to releasing the attack. Attackers created an entire online presence for a female called Safeena Malik. She had a LinkedIn account with over 500 connections, and also Facebook and Google accounts that were active and regularly communicated with the targets before the phish was sent.
After “trust” had been established over a period of time, Safeena sent an email promising that an attached document contained valuable information. Again, to view the document, targets were prompted to log in to a fake Gmail page where their credentials were stolen. However, since this was coming from a source that seemed legitimate, many users probably didn’t bother to verify the URL before logging in.
Don’t Become a Victim to These Attacks
- Always double-check the URL before clicking on it and/or entering information. It may appear to be from a trusted source, but that source may be compromised or entirely fabricated. Best practice is to manually navigate to a known, good URL for logging in.
- Activate Two Factor Authentication (2FA) on any accounts that have it available. Assailants may be able to get your password via one of these attacks, but 2FA will help prevent them from logging in and stealing data or taking over your account.
- Don’t reuse passwords across sites. If your password does get compromised, at least it can’t be used to hack into other accounts as well.
Sources:
https://www.forbes.com/sites/thomasbrewster/2017/02/14/safeena-malik-qatar-fake-cyberespionage-hacking-campaign/#1f3c927b12af
https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/