Recent developments in the cyber-crime domain have indicated that not even well-established industry players are immune from cyber-attacks.
Internet security researchers have detected a new phishing campaign that has been targeting Google account users in the past few weeks.
The on-going campaign has warranted media attention due to its exceptional effectiveness.
The phishing attack is mostly targeting Gmail users and has been highly successful in managing to compromise the accounts of experienced computer users.
However, reports indicate that the notorious strategy is being used to target other similar services.
According to a report by WordFence, the phishing attack is implemented in two stages.
The primary attack involves the hackers sending an email containing a screenshot image of a PDF attachment to an unsuspecting victim’s Gmail account.
Once the victim clicks on the image, they are redirected to a new tab where they are prompted to sign into Gmail a second time.
This false sign-in page is fully functional complete with an accounts.google.com subdomain name.
The hackers have employed a phishing technique that involves placing a file in the browser location bar. According to the CEO of WordFence, Mark Maunder, this is made possible using data in the Uniform Resource Identifier (URI) to produce the false Gmail login page, giving the victim a false sense of security.
The victim’s account is compromised once they sign-in on this page. At this point, the victim’s credentials are sent to the hackers.
Once the primary phishing attack has been successfully executed, it paves the way for secondary attacks, which are now made easier due to the stolen credentials.
The hackers having gained access to a compromised user’s account, then, carry out the secondary phishing attacks on entries in the user’s contact list – this is one of the main reasons why this new campaign has been so effective, as computer users are not likely to suspect an email sent from an individual they already know.
The hackers use actual attachment screenshot images and subject lines from the compromised accounts to bait the other users on the contact list.
Due to the speed of the whole process, internet security experts suspect that this phishing campaign be an automated process.
The possibility of an organized troupe of hackers processing compromised accounts has also been considered as a possibility.
It is important for Gmail users to note that other services on their computers can also be compromised once the hackers obtain control of their passwords.
The attackers can simply use the password reset service, including secondary email accounts, Software as a Service (SaaS) cloud computing, and several other services.
Users can protect themselves from these kinds of phishing attacks easily once they have the right information.
Researchers have urged users to be very observant of the browser location bar and check the URL carefully.
The URL used in this phishing campaign contains the protocol “data: text/HTML” before the Google accounts subdomain name on the far left end of the browser location bar.
If a URL bears any protocol other than “https: //” before the hostname, this should be a red flag.
Looking out for the lock icon next to the browser location bar has also been suggested. However, this method is not infallible as hackers can host their phishing pages on SSL-secured servers.
Users can also protect themselves by activating the two-factor authentication feature offered by Gmail and other services, preventing hackers who utilize phishing techniques from accessing users’ accounts even when they manage to obtain their passwords.
At the moment, there is no conclusive way for Gmail users to determine if their accounts have been compromised through this phishing campaign.
However, active sessions running from unknown locations are a good indicator.
The users who suspect that they have fallen victim to this phishing attack are advised to change their Gmail passwords immediately.
They can then terminate any active sessions from untrusted sources in Gmail’s account activity page.