An insidious new Gmail phishing attack is tricking even the most careful of users
A new phishing technique is fooling internet users into giving hackers access to their Gmail accounts. According to WordPress security plugin creator Wordfence, the way that the attack works is that hackers send emails to the contacts of compromised accounts containing a seemingly innocuous attachment. When the user clicks the attachment, a new tab opens in the browser that looks nearly identical to the Google sign-in page. If the user inputs their log-in information, it goes straight to the attacker.
From: An insidious new Gmail phishing attack is tricking even the most careful of users – BGR
That really is very clever. And I don’t know how you would defend against it. Even setting up two-factor authentication wouldn’t help you outrun the bear, just to outrun the other guy. If these attackers haven’t implemented 2FA stealing, it’s only because it’s not worth the effort, as they get enough victims without bothering.Report
If this happened to me, you’d get a bunch of spam email from the washington post, and emails from sexy russian “ladies” who love me and just need a little bit of money to come to american and fulfill all my dreams.Report
“When the user clicks the attachment, a new tab opens in the browser that looks nearly identical to the Google sign-in page. ”
I think we’re getting to a point where part of the “user account setup” needs to be a “basic Internet skills” slideshow, including things like “here’s some common methods people use to steal your stuff”Report
I would expect to see required anti-theft literature tacked to every car sold before that happens.Report
Is that an unreasonable thing? The internet is still fairly new with a massive gap between experienced and novice users that is easily exploited.
Maybe “Don’t open a link” will become conventional wisdom but it obviously isn’t yet.Report
It isn’t, actually. It is definitely the case that the internet is still heavily biased towards people who already know how to use it.Report
It shouldn’t have to be conventional wisdom though – the whole point of the internet is to communicate information. The hyperlink is the basic thing that makes the web what it is. We’re in a sad place if “Don’t use the internet for what it’s for” becomes conventional wisdom.
I would bet at 2:1 odds that I wouldn’t fall for this. I would have to think hard about 10:1 odds, and wouldn’t take 20:1. And I have worked for over a decade in IT security.
I wouldn’t take 2:1 odds that an average employee at my organization, someone who uses computers daily and proficiently, wouldn’t fall for it. I think training users not to use the internet for what it’s for isn’t the answer. I mean, we do that here, because it’s kind of what you have to do nowadays. But that’s because of our failure, as an industry, to do better by our users.Report
It’s the same deal with any confidence scam, though. It’s not so much “don’t use the Internet for the thing it is for” as it is “there are ways that people can trick you, these are some of them”.
I put it in the same category as “when someone calls and says they’re from the IRS and if you don’t send $5000 via Western Union they will have you arrested, that’s a scam, don’t do it”.Report
That’s different though.
When you get an email from someone you know, that’s in the context of an email exchange you are currently having with them, with an attachment that looks exactly like an attachment they sent you recently – you don’t get suspicious.
This isn’t even remotely in the same league as someone cold-calling you from “the IRS” and demanding $5000 via Western Union or Apple gift cards or whatever.Report
We’ve had people on my campus (professors) regularly fall for what I think of as pretty basic phishing scams (“Your e-mail box is almost full! Enter your username and password here to delete unneeded messages!”)
We’ve also apparently had a case of someone falling for the Cryptolocker scam; I heard they had to have their hard drive totally wiped.
I don’t know if that means that ‘highly educated’ people sometimes don’t have common sense, or if they trust too much, or what. I’m a pretty suspicious wench and thus far I’ve managed to stay safe, though once or twice I got e-mails that were “for real” and I deleted them thinking they were scams.
(Also, I keep all my really important files in a couple different places, so having to have my hard drive wiped would represent considerably less loss of work to me than it would to someone else)
I just as a matter of policy don’t open any attachments I have not specifically asked for and I don’t respond to e-mails with “weird” From: addresses. (Someplace in Czechoslovakia is not going to be monitoring the “fullness” of my inbox)
That said, I’m not sure a moment of inattention might not allow me to fall for the new Google scam.Report
This is exactly how I taught my parents not to send naked links or attachments to me or anyone else they know.
They: Did you get that thing I sent.
We: Nope… I deleted about 5 emails from you that looked like spam/phishing attempts though.Report
I’ve reported some sketchy ones directly to our own IT teams that actually legitimately originated with them.
As in they were legit emails, not phishing attempts or compromised IT systems.
I sometimes wonder if they send out the occasionally weirdly worded email deliberately to see who stops and goes “Wait, that doesn’t look right” and who doesn’t.Report
Heh, I actually got flagged at work for not taking a security training class on phishing.
My defense? It was an email sent from an unknown source for a class I wasn’t told I needed to take asking me to click a link and log-in with my corporate user name and password.
Instead of sending me an amazon gift card, exempting me from this and all future CYA security training, and putting my picture (or Rex’s picture) on a bulletin board somewhere, they just told me to click the link and log in. So, I know how John Podesta feels.Report
Ours does actual fishing traps. Not stuff like that.Report
*Yawn* incompetents. Going after the smart people is the wrong move.
You attract too much attention that way.Report
And apparently a version has hit here: e-mails going around (on the campus mail platform, not Gmail, but still) claiming you have a meeting with someone and asking for your login information if you click the link.
Again, I guess it’s good to be a suspicious wench. (“Hey, I don’t have a meeting scheduled with that person, something’s wrong”)Report
On a possibly related note, I’ve gotten two emails like this in the last week:
Number changed as well, but it had the weird mix of numerals and words. The first time I was inclined to think it was just someone who had the wrong email address, but then I got the other one, again with the strange way of writing the number. Both say they’re from Susquehanna; not sure if that’s a city, company, school, or what.
Is this a thing now? I’ve never seen spam that only gives a phone number.Report
No typos? Poor shot.Report
May be an old thing. Note the area code is not an 8XX number. I no longer keep track of the phone billing scams, but at one point the owner of a number could set it up as a class of service so that the originating end of all incoming calls were billed a specific amount. The original purpose was for things like per-call technical assistance and got around the need for the caller to have a credit card. For a while it was a common scam in NYC to have someone in appropriate attire show up at small businesses with two dozen roses for “Mary Ellen Smith”. If there was no Mary Ellen Smith, they would ask to use the phone to talk to their boss. “It’s a local call, here, you can dial it for me.” Service tariffs like that tend to hang on for years/decades after their purpose has disappeared just because it’s a hassle for the phone company to go through the state-level procedures.Report
It’s a river… possibly this was your very own watery tart offering swords and supreme power.
I didn’t watch the inauguration today, is this how we did it this time?
Next time, text. This is how you get Trump.Report