Gmail Phishing Scam at large

There is a highly effective phishing technique stealing login credentials for Gmail Users that is having a wide impact, even on experienced technical users.

The way the attack works is that an attacker will send an email to your Gmail account. That email may come from someone you know who has had their account hacked using this technique. It may also include something that looks like an image of an attachment you recognize from the sender.

You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again. You glance at the location bar and you see in there.

Once you complete sign-in, your account has been compromised. A commenter on Hacker News describes in clear terms what they experienced over the holiday break once they signed in to the fake page:

“The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.

How to protect yourself

Be very careful of clicking on images sent from other Gmail users.  Gmail does occasionally ask you to login, so be very careful if you are asked to do this. If in doubt, close the login browser tab (or just close your web browser). Then try your Gmail again, and you should still be logged in. It was a scam. Inform the sender that their google account has been compromised.

Enable two factor authentication if it is available on every service that you use. GMail calls this “2- step verification” and you can find out how to enable it on this page.

Enabling two factor authentication makes it much more difficult for an attacker to sign into a service that you use, even if they manage to steal your password using this technique. I would like to note that there is some discussion that indicates even two factor authentication may not protect against this attack. However I have not seen a proof of concept, so I can not confirm this.


Leave a Reply

Your email address will not be published. Required fields are marked *