TAMPA, Fla. (WFLA) – A new phishing technique is targeting Gmail and other email services, and it’s been highly effective.
The CEO of WordPress security plugin Wordfence Mark Maunder said the attacker sends an email to your Gmail account that may come from someone who has had their account hacked using the technique.
The email may include something that looks like this:
If you click the image expecting a preview of the attachment, a new tab will open, prompting you to login to your Gmail account again. It’s not, it’s a phishing attempt.
Once you sign in, your account has been compromised.
A commenter on Hacker News describes what they experienced when they signed into the fake page:
“The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.
For example, they went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.”
How do I protect myself?
You need to change what you’re checking in the location bar at the top of your device.
Maunder said the technique uses something called a “data URL,” that looks like this:
The chunk of text is actually a file that opens in a new tab, creating a completely functional, but fake, Gmail login page, which sends your credentials right to the attacker.
You can also consider two-step authentication. Here’s where you can find details for Gmail.
How can I check if my account is already compromised?
There’s no sure way to check.
If you think your account has been compromised, change your password immediately. Getting in the habit of changing your password every few months is a good practice.
You can check the login activity of your Gmail account if you are worried.
Open Gmail and click on “Details” in the bottom right hand corner of your screen.
This shows all recent login history and currently active sessions.
If you see active logins from some unknown source, you can force close them.
If you see any logins from places you don’t know, your account may be compromised.