A devious new scam targeting Gmail users shows you can’t trust that any e-mail is safe, even if it comes from someone you know and appears to be part of an ongoing conversation.
Cybercriminals are hacking Gmail accounts and using the e-mail chains they find there to send personalised scam messages to people the account holder previously corresponded with. The e-mails use the same subject lines and file attachment names that were used on previous email exchanges, making them appear legitimate.
But the fraudulent messages contain an attachment that when clicked on directs the recipient to an authentic-looking Gmail screen that prompts them to log in. Anyone who does gives their e-mail log-in credentials to the scammer, who then can exploit their account.
The crooks cash in by checking your e-mails for information that will give them access to your bank and other financial accounts, said Robert Capps, vice president of business development for NuData Security in Vancouver, Canada.
“What’s really damaging, what’s really powerful about attacks like this is that a consumer e-mail account is often the key to other accounts,” he told me.
Think about your e-mails. There probably are messages from banks, retailers and service providers. Capps said customers often can reset their passwords through those e-mails, which means the cybercrook can do the same.
“You can take over a large number of accounts without ever having to know the passwords to any of the other accounts,” he said.
This fraud is especially sophisticated because the fake Gmail login page doesn’t trigger any warnings from your Web browser, such as changing the padlock icon that we’re used to checking from locked to unlocked, Capps said. It also doesn’t change the colour of the lock to red, which is another warning sign that a website may not be safe.
Like with most swindles, though, there is a flaw that would alert people who are paying attention to the smallest details.
The Web address of the fake Gmail login page has additional text at the beginning, according to Wordfence, a company that provides security for WordPress websites.
The web address includes the familiar “https://accounts.google.com,” making it appear legit. But that is preceded by the prefix “data:text/html.”
“Make sure there is nothing before the hostname ‘accounts.google.com’ other than ‘https://’ and the lock symbol,” Wordfence said in a report about the scam on its blog a few weeks ago.
Another thing that should tip you off is that you are being asked to log into your Gmail account when you already are logged in. There should be no reason for you to do that.
Google said it is aware of the issue and strengthening its defences against it.
“We help protect users from phishing attacks in a variety of ways, including machine learning-based detection of phishing messages, safe browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more,” it said in a statement.
Capps said websites that use passive biometrics technology, a service NuData Security provides, can protect their users. That technology identifies behavioural patterns, such as what type of device a user typically logs into their account from and details such as the cadence and timing with which they type in their password.
If the behaviour doesn’t match, the website can block entry, ask for additional information to verify the user or allow the log-in to proceed but monitor the activity.
This scheme emphasises why it’s important to keep your e-mail accounts secure. Remember, the scam starts with some slimeball getting access to a single Gmail account that is exploited to get access to others.
If you don’t consider the security of your e-mail account to be as important as the security of your other accounts, such as your financial ones, think again.
“It’s a gateway to the rest of their accounts,” Capps said.
The initial e-mail account that is exploited could be accessed any number of ways, including other phishing scams or from information stolen in a data breach.
Change your email passwords often and don’t use the same combination of user names and passwords on multiple accounts. If one gets stolen, clever criminals will try that combination on other websites, too. I slipped up a few years ago and that probably is what led to my PayPal account being hijacked.
Google said users also can activate two-step verification to increase account protection. In that process, users must enter a one-time code that’s sent to them by text message or phone call, in addition to their password, to log in.