New Gmail Phishing Email Looks Identical To Gmail Login Page
As you know, phishing schemes are increasingly sophisticated, with fakes that appear nearly indistinguishable from genuine websites or email. Today we share with you a new Gmail phishing email scheme that is highly effective because it is difficult to spot.
While this attack vector is targeted to Gmail (and other services as well), the basic principle has been used in many other phishing schemes and can be used on any SaaS or website you log into. There was a fake PayPal website we wrote about awhile back.
We’re writing to you today about this phishing scheme because repetition raises awareness, which reduces risk, and because many of us use Gmail.
Please read on and please share this email with your team, colleagues, family and friends.
How This Gmail Phishing Attack Works
An attacker gains access to your email address or the email address of someone you know.
They send out an email with the attack vector built in.
The email may include an attachment or image or link which when clicked on, prompts you to sign into Gmail again. This prompt is in fact a fake website and any username or password you type into it is sent directly to the attacker. At this point, your account is immediately logged into and the attack is repeated by sending phishing emails to your family, friends, colleagues and clients – anyone in your contact list.
At the same time, your entire email history and contact list may be downloaded in case you recognize you have been compromised and change your password.
In the meantime, your email address can be mined to gain other personal information or gain access to your banking sites or other sensitive accounts using password recovery emails.
The fake login screen looks nearly identical to the real Gmail login screen. See screen capture below, courtesy of WordFence.
To make it trickier to spot as a phishing scheme, the URL of the fake login screen does contain the trusted accounts.google.com portion of the URL, but it is out of order and mixed in with text that shouldn’t be there.
Nevertheless, a quick glance and seeing the familiar accounts.google.com URL may be enough to earn your trust and trick you into giving away your email login information to a cybercriminal.
What To Look For To Spot A Fake Gmail Login Page
The real Gmail login page begins with a green lock icon and https:// in green, indicating the site has an SSL certificate and is secure, immediately followed by the familiar accounts.google.com URL.
The green colour and green closed lock icon are good visual cues to look for – but they are not enough.
A fake Gmail login page may:
- be missing the green lock icon and green text
- be missing the https:// and may either only show http:// in black
- show https:// in red, indicating an unsecured site
- start with a different string of text altogether (no http at all)
In the case of this Gmail phishing attack vector:
- the URL actually begins with data:text/html
- there is no lock icon at all
- there is no green or red text to indicate a secure or insecure connection – see image below, courtesy of WordFence
And if you were to inspect the end of this long URL, you would find a large blank space and then more text beginning with <script…
The blank space is intended to trick you into thinking you have reached the end of the URL and to reduce the chance that you will spot the script that opens and operates the fake website collecting information.
Remember, if you are hacked and change your password upon discovery, the cyber criminals may have already downloaded your contact list or email file to mine.
Please take a moment to review this post with your team or family.
Remember, cybercriminals earn a living from this type of activity. Limit your risk.
Looking for network security and IT support in Toronto?
We can help. TUCU is tech u can use, a trusted provider of small business IT solutions in Toronto since 2003. Please call our friendly team at (416) 292-3300 or send us an email today.