Wide Impact: Highly Effective Gmail Phishing Technique Being Exploited

Update on February 24th: Chrome has resolved this issue to my satisfaction. Earlier this month they released Chrome 56.0.2924 which changes the location bar behavior. If you now view a data URL, the location bar shows a “Not Secure” message which should help users realize that they should not trust forms presented to them via a data URL. It will help prevent this specific phishing technique.

Update at 11:30pm on Tuesday January 17th: I have received an official statement from Google regarding this issue. You can find the full update at the end of this post.

As you know, at Wordfence we occasionally send out alerts about security issues outside of the WordPress universe that are urgent and have a wide impact on our customers and readers. Unfortunately this is one of those alerts. There is a highly effective phishing technique stealing login credentials that is having a wide impact, even on experienced technical users.

I have written this post to be as easy to read and understand as possible. I deliberately left out technical details and focused on what you need to know to protect yourself against this phishing attack and other attacks like it in the hope of getting the word out, particularly among less technical users. Please share this once you have read it to help create awareness and protect the community.

The Phishing Attack: What you need to know

A new highly effective phishing technique targeting Gmail and other services has been gaining popularity during the past year among attackers. Over the past few weeks there have been reports of experienced technical users being hit by this.

This attack is currently being used to target Gmail customers and is also targeting other services.

The way the attack works is that an attacker will send an email to your Gmail account. That email may come from someone you know who has had their account hacked using this technique. It may also include something that looks like an image of an attachment you recognize from the sender.

You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again. You glance at the location bar and you see accounts.google.com in there. It looks like this….

You go ahead and sign in on a fully functional sign-in page that looks like this:

GMail data URI phishing sign-in page

Once you complete sign-in, your account has been compromised. A commenter on Hacker News describes in clear terms what they experienced over the holiday break once they signed in to the fake page:

The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.

For example, they went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.

The attackers signing into your account happens very quickly. It may be automated or they may have a team standing by to process accounts as they are compromised.

Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot.

Now that they control your email address, they could also compromise a wide variety of other services that you use by using the password reset mechanism including other email accounts, any SaaS services you use and much more.

What I have described above is a phishing attack that is used to steal usernames and passwords on Gmail. It is being used right now with a high success rate. However, this technique can be used to steal credentials from many other platforms with many variations in the basic technique.

How to protect yourself against this phishing attack

You have always been told: “Check the location bar in your browser to make sure you are on the correct website before signing in. That will avoid phishing attacks that steal your username and password.”

In the attack above, you did exactly that and saw ‘accounts.google.com‘ in the location bar, so you went ahead and signed in.

To protect yourself against this you need to change what you are checking in the location bar.

This phishing technique uses something called a ‘data URI’ to include a complete file in the browser location bar. When you glance up at the browser location bar and see ‘data:text/html…..’ that is actually a very long string of text. If you widen out the location bar it looks like this:

GMail phishing data uri showing script

There is a lot of whitespace which I have removed. But on the far right you can see the beginning of what is a very large chunk of text. This is actually a file that opens in a new tab and creates a completely functional fake Gmail login page which sends your credentials to the attacker.

As you can see on the far left of the browser location bar, instead of ‘https’ you have ‘data:text/html,’ followed by the usual ‘https://accounts.google.com….’. If you aren’t paying close attention you will ignore the ‘data:text/html’ preamble and assume the URL is safe.

You are probably thinking you’re too smart to fall for this. It turns out that this attack has caught, or almost caught several technical users who have either tweetedblogged or commented about it.  There is a specific reason why this is so effective that has to do with human perception. I describe that in the next section.

How to protect yourself

When you sign in to any service, check the browser location bar and verify the protocol, then verify the hostname. It should look like this in Chrome when signing into Gmail or Google:

Gmail phishing secure URI example

Make sure there is nothing before the hostname ‘accounts.google.com’ other than ‘https://’ and the lock symbol. You should also take special note of the green color and lock symbol that appears on the left. If you can’t verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page.

Enable two factor authentication if it is available on every service that you use. GMail calls this “2- step verification” and you can find out how to enable it on this page.

Enabling two factor authentication makes it much more difficult for an attacker to sign into a service that you use, even if they manage to steal your password using this technique. I would like to note that there is some discussion that indicates even two factor authentication may not protect against this attack. However I have not seen a proof of concept, so I can not confirm this.

Why Google won’t fix this and what they should do

Google’s response to a customer asking about this was as follows:

“The address bar remains one of the few trusted UI components of the browsers and is the only one that can be relied upon as to what origin are the users currently visiting. If the users pay no attention to the address bar, phishing and spoofing attack are – obviously – trivial. Unfortunately that’s how the web works, and any fix that would to try to e.g. detect phishing pages based on their look would be easily bypassable in hundreds of ways. The data: URL part here is not that important as you could have a phishing on any http[s] page just as well.”

This is likely a junior person within the organization based on the grammatical errors. I disagree with this response for a few reasons:

Google have modified the behavior of the address bar in the past to show a green protocol color when a page is using HTTPS and a lock icon to indicate it is secure.

Gmail phishing secure URI example

They also use a different way of displaying the protocol when a page is insecure, marking it red with a line through it:

During this attack, a user sees neither green nor red. They see ordinary black text:

That is why this attack is so effective. In user interface design and in human perception, elements that are connected by uniform visual properties are perceived as being more related than elements that are not connected. [Read more: Gestalt principles of human perception and ‘uniform connectedness’ and Content Blindspots]

 In this case the ‘data:text/html’ and the trusted hostname are the same color. That suggests to our perception that they’re related and the ‘data:text/html’ part either doesn’t matter or can be trusted.

What Google needs to do in this case is change the way ‘data:text/html’ is displayed in the browser. There may be scenarios where this is safe, so they could use an amber color with a unique icon. That would alert our perception to a difference and we would examine it more closely.

Update: How to check if your account is already compromised

I’ve had two requests in the comments about this so I’m adding this section now. (at 9:39am Pacific time, 12:39am EST).

There is no sure way to check if your account has been compromised. If in doubt, change your password immediately. Changing your password every few months is good practice in general.

If you use GMail, you can check your login activity to find out of someone else is signing into your account. Visit https://support.google.com/mail/answer/45938?hl=en for info. To use this feature, scroll to the bottom of your inbox and click “Details” (very small in the far lower right hand corner of the screen). This will show you all currently active sessions as well as your recent login history. If you see active logins from unknown sources, you can force close them. If you see any logins in your history from places you don’t know, you may have been hacked. [Thanks Ken, I pasted your comment in here almost verbatim. Very helpful.]

There is a trustworthy site run by Troy Hunt who is a well known security researcher where you can check if any of your email accounts have been part of a data leak. Troy’s site is https://haveibeenpwned.com/ and it is well known in security circles. Simply enter your email address and hit the button.

Troy aggregates data leaks into a database and gives you a way to look up your own email in that database to see if you have been part of a data breach. He also does a good job of actually verifying the data breaches he is sent.

Spread the word

I’ll be sharing this on Facebook to create awareness among my own family and friends. This attack is incredibly effective at fooling even technical users for the reasons I have explained above. I have the sense that most ordinary users will be easy pickings. Please share this with the community to help create awareness and prevent this from having a wider impact.

Mark Maunder – Wordfence Founder/CEO – @mmaunder

Update: Official Statement from Google

This is an update at 11:30pm PST on Tuesday the 17th of January 2017. I was contacted by Aaron Stein from Google Communications. He has provided the following official statement from Google:

We’re aware of this issue and continue to strengthen our defenses against it. We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.

I asked Aaron two follow-up questions:

Chrome 56 will include the text “Not secure” in the location bar on non-SSL websites where a page contains a password field or credit card input field. This is a fine example of a visual indication in the location bar that helps secure users. Are the Chrome dev team considering some visual indication in the browser location bar for data URI’s? That would help defeat this attack because, currently, there is no visual indication of anything awry when viewing a phishing data URI. It’s worth noting that the safe browsing system is currently unable to detect malicious data URI’s because it is currently geared for traditional hostname-path URL’s.

Second question: Emails that contain malicious data URI’s are the attack vector in this case. Are the GMail team considering any additional filtering or alerting related to data URI’s as attachments in the GMail web application?

I think any guidance you can provide on the above two questions will go a long way to put Chrome and GMail user’s minds at ease.

He responded with:

I can’t speak to things that aren’t out yet, but *please* watch this space. Should have more to share soon

My thoughts on this response:

I think this is a perfectly acceptable response from Google. To be clear, there are several teams within the Google organization that this affects:

The Google Chrome browser team will be the ones who would implement any change in the location bar behavior when viewing a phishing data URI. The GMail team would implement filtering and alerting within the GMail application with a data URI attachment is received with other associated phishing markers. The Google Safe Browsing team may add support for malicious data URI’s in the GSB API and make that available to the Chrome browser team.

There may be other parts of the Google organization that touches including operations.

Asking Aaron to provide early guidance on how Google will mitigate this when it affects so many teams was a big ask, but I would be remiss if I didn’t hit him with a couple of follow-up questions. The good news is that Google is aware of the issue and we have an official statement that indicates there will be something forthcoming in future releases of Chrome, GMail and possibly other products that can help mitigate this.

Did you enjoy this post? Share it!

Comments

172 Comments
  • What about other browsers besides Chrome?

    • This does affect other browsers too. I've seen it demonstrated in Firefox and it probably affects others. So in all cases, check the protocol and then the hostname in the browser when signing into a website.

      Mark.

      • What about "auto sign-in"?

    • As always, phishing is not a browser problem, it's a human problem.
      I make a habit of checking for https:// and the lock symbol before supplying a password.

      • Agree!

      • There is no patch for human stupidity. Sadly.

        • Oh, for God's sake. Not knowing all of the complex intricacies of web technology is not "stupidity". Not everyone is a developer. We need to be looking for ways to make the web safer and more intuitive for users of all skill levels, not acting like less sophisticated users deserve to be scammed because "they should have known about data URIs".

          • Companies cannot dummy proof everything, if you are not self-aware of things like this then you deserve to get your information stolen. Its the same way with your home security, if you don't notice that its active or you do not activate it, then you will get robbed. Everyone now in days are too lazy to do things.

          • On many of the browsers for phones/tablets there is not even an address bar. (to save screen space?) So this technique works even better. As I tell my students. "You can't be too paranoid." ;)

      • That's not sufficient. A trusted certificate does not make any guarantees about the contents of the site. Many phishing sites have started using HTTPS.

        A good solution is to use a password manager with auto-fill (that's pinned to the actual login URL of a service). Two-factor authentication via U2F tokens would prevent phishing as well. Of course, checking the domain works too, but that's easy to mess up.

  • Thanks! I was previously unaware of this and could easily have been compromised. Hopefully I have been made aware in time.

  • And how do I explain this to my mom??!! Great post, I believe is a good security practice to read Wordfence blog!

    • Ha, I was thinking this too - how to explain to my father and stepmother?! I don't think it can be done...

      • It's easy, tell them they should always see the LOCK symbol on the left and then at the very start of the URL https:// followed by the domain name of the service they are logging in to.

        Supply them with a few screenshots for Gmail, Hotmail and so on if you have to.

        • The lock symbol isn't a sign that you're connecting securely with your intended site. It is simply a sign that your communications between yourself and whoever you're talking to are secure.

          If I buy mail.g00gle.co.uk (two zeros) and buy a nice SSL certificate for that domain and redirect you to a copy of the gmail login page that I've nicked from them then simply relying on a nice little padlock in the browser address bar isn't enough because the connection between you and mail.g00gle.co.uk will be encrypted legitimately, and (especially to someone with poor eyesight, perhaps?) you're not going to easily tell the difference between mail.google.co.uk and mail.g00gle.co.uk at a quick glance.

          • Thanks... I thought I was the only one thinking about that

      • There's an even easier way to explain it. If they click on a button, link, or attachment in an e-mail and then are asked to login again, this is a BIG RED FLAG. They are already logged into their Gmail, so they should not be asked to login again.

        • That's an excellent point Michelle, although I wonder if the average user will realize that a prompt to relogin to your gmail is indeed a red flag? Its scary what people can do with all that hacking ability!

          • Google actually sometimes will ask you to sign in again when accessing other areas of its platform, such as account settings etc

      • You can also enable 2-step verification for them (moms, dads, grandparents, children). They only need to enter the phone confirmation once in every new device they start using.

        *If they use just one device - easy - you can do the activation for them.

        *If they use more than a few different devices, they will be able to understand how to do it themselves anyway.

        • 2-factor authentication is critical, but it will not prevent me from falling for a phishing site. Yes, it will prevent an attacker from gaining access to my mail account. But if I use my password elsewhere, they still have my credentials to trying using at other sites.

          A password storage app like 1Password makes it easy to keep separate passwords for every site, so getting access to one site limits the damage to that site.

          And the best answers to those "security questions" used as an alternative to 2-factor are made-up! It's far too easy to find your real mother's maiden name, schools, old addresses, etc.

    • Using an easy to use App for Gmail 'might' be an alternative.

      I say might because I'm no web security guru.
      It looks like this is done on a browser level where the address is not the real Gmail address, using an App, I guess would avoid this.

      • I fell for this the other day...am I screwed now? I did change my password. Is there anything else I can do?

    • I would suggest telling them never, NEVER enter passwords without seeing the green lock and https:// immediately followed by the domain name that's expected. Most of us, young and old, too, should be able to handle looking for the green lock. It's the ounce of prevention.

      • If you change your password, google automatically expires all authentication tokens for all apps that have access. This means that all apps need to ask for your permission again before they have access to your data so your google account would be safe again. If the attackers gained access to other services by resetting your password then changing your google password would not have any effect so its probably a good idea to change all your passwords.

    • How do I explain it to my KIDS?

      • I bet ur kids already know. If not, they are prolly too young and shouldn't login anywhere anyways (at least not without supervision).

      • You can enable 2-step verification for them. They only need to enter the phone confirmation once in every new device they start using.

        *If they use just one device - easy - you can do the activation for them.

        *If they use more than a few different devices, they will be able to understand how to do it themselves anyway.

    • You could just simply show them the pictures, and put a red rectangle around the bad url bar, and a green one around the good one.

  • Wow thx! good work! (again ;)

  • I suspect the answer was vague and unhelpful because it was made by Google mail help staff.
    Google mail support cannot change the way the browser address bar responds to secure and insecure URLs.
    Other parts of the google group that support Chrome might be interested in implementing these features on Chrome and they could also probably influence other browser suppliers (directly or indirectly) to implement similar features on their browsers.

  • Why would a 'technical user' not be using 2 factor???

    • Because for my private use of services that do not involve money it's too much of a hassle. Besides, I'm confident in my ability to recognize a phishing attempt however good it is, as long as the browser shows me all I need to know in the address bar (lock, protocol, domain).

      • "Too much of a hassle?"

        You email is the single point of failure for all other accounts - if your email is compromised then an attacker can trivially gain access to (and remove your access from) any other account associated with that email address.

        I can appreciate that 2FA/2SV may be a hassle for other services but your email really is worth the (minimal) effort of protecting.

    • You got it. 2 way authentication would be the first thing I thought the article would say to prevent this. And nowadays 2 way Auth isn't just for the tech savvy people.

    • Well, that'll keep them from accessing your email, but it does result in them having a username/password for your email account. Hopefully it's not repeated on other sites, but you know... These things can happen.

    • everybody should be using two-factor auth. and not on SMS but on a smartphone app.

    • I would consider myself a technical user that does not use 2factor.
      Short answer: Privacy

      I have several gmail accounts that are only accessed through different SSH proxies (i.e. each account is correlated by google to only a single IP)

      My phone number is only tied to a single account which I use on my phone. I connect to that account through the same proxy every time. My other accounts I connect to on other proxies. The reason for this is so that Google cannot correlate the different accounts as all belonging to the same user.

      I wont dive into any further details, but the point is privacy.

  • I think, generally people do not pay such in-depth attention to the address bar, hence these hackers have become so effective.

    We need to be very careful in future to avoid such headaches later.

  • Thank you for the article. Very helpful.

  • Thank you so much! It's really important. Thank you once again!

  • I would love a browser setting to only allow forms to be filled in on https sites with real certificates.

    • Seems like an obvious feature now that I've read your comment. Hopefully, the right people pay attention to you.

  • I just wanted to leave this comment of appreciation for your service. Although right now I'm not financially able to upgrade to the full version of your plugin I do see the value of your services. I'm not real technical savvy I do read your alerts and post which helps me understand some things. Keep up the great work.

    Donna Perry
    Linktobeauty.com

  • Thanks Mark! I'd like to say this wouldn't fool me, but if I was distracted... it potentially might!

  • Thanks for sharing this detailed update, this is very helpful!

  • This is very similar to how eBay phishing campaigns work. For example: you receive an official looking inquiry on an existing (note: public) auction you are running, and click the "Respond Now" button. The combination of recent and familiar data with the official look is tricky. This a great reason to never click links in emails out of convenience. Just navigate to the website or service manually on you own (i.e., go to Gmail.com yourself, then sign in). For many, that's a hard habit to break.

    • Where the "don't click on links in email" breaks down is when you click on what appears to be an email attachment for a recognized image or file from a trusted source. This isn't just an obvious "Click here to log into your bank account". You are expecting to see the file, and instead, get a "Please log in to your account again." (something which happens quite often if you are regularly logged into management interfaces for cloud services).

  • Thanks so much for the heads up on this. This is a clever phish, I could see myself falling for this. Not now though. 2FA just enabled. Thanks again.

  • Great post! Thanks for that! How can I know if my account has been hacked? Do you know how to check that?

    • Yes, go to https://haveibeenpwned.com/ and enter your email addresses to check them. Don't be surprised if you were hacked in a data breach at some point. Just make sure you have changed all passwords since then and enabled two-factor.

      The site is run by Troy Hunt who is a reputable security analyst, so don't worry about entering in your email. It's a trustworthy site.

      Mark.

      • Thanks!!

        • I get an invalid cert warning when trying to access https://haveibeenpwned.com/ - is that a real problem or just incredibly ironic?

          • Works for me. It's a valid EV cert. Are you on public wifi?

  • Google now has at least three ways to authenticate., Google Authenticator App, Google App on phone and text messages. Do you have an opinion about which method would be most secure?

  • It doesn't seem unreasonable to not allow javascript in the address bar....

    why is that ok? and yes, that is Google's choice.

  • Great info. Your team is always on top of these things, and I appreciate it! Is there a way to check and see if the account has already been compromised other than checking sent emails? And is changing the password enough of a fix if you find you have been hacked? Thanks again for your awesome service!

    • I've updated the post with some info on how to check your account.

      • Any possibility of having the Javascript code. I would like to see what it does.

  • I've shared this post immediately. Thanks.

  • Bravo Zulu, Mark! I am a google/gmail user and have seen this issue before. Given how many services, such as CBS as an example, are using gmail credentials as a login/verification for their services, I would think that Google would devote significant attention to this attack method that targets their customers. The fact that Google is turning the cheek, so to speak, seriously bothers me. It should also bother CBS and the many others who allow users to create their account using Google credentials. I used CBS as an example here because I have a CBS All Access account that I pay for each month, and I log into it using Google, thus I am very familiar with the service.

    I would also point out, while it is true that I seldom voice my opinions on such matters publicly, this article is very well written. You cover the danger, the method, and the flaws not just in how google is handling this but also in human nature which allows these exploits the succeed. Your suggested solution is still based upon humans learning what to watch for, even if it is an amber warning and icon that should grab their attention, but it seems that these days many people have become lazy or in a hurry thus opening the door for exploits such as this one. I forget now who said it, but to quote them anyway: "A shield does you no good if it is hanging on the wall when the arrow strikes your heart."

    I would also point out that Google does have some limited protection for those who use features like the bar code verification and a registered smart phone.

    • JamesMac, I sense a fellow Navy person, using "Bravo Zulu" (Well Done). Cheers, Peter

  • Nice post we are deeply grateful

  • Thank you for this post!

    I understand Chrome should highlight when the URL contains "data text/html", but isn't there a bigger a problem on Gmail side if the preview of the attachments allows to open such link?

    Or is it a thumbnail in the body of the email?

    Either way, Gmail should block this type of link, isn't it?

  • I thought this part was particularly clever: "something that looks like an image of an attachment you recognize from the sender". This is something I don't think would catch me on a good day (since real gmail attachment previews have some onHover features), but when you're tired or rushed... easy mistake to make. And I think one of the original Hacker News posts mentions that the only reason he noticed something was phishy (:D) was because that image was sliiightly fuzzy on his high-DPI monitor.

    Nasty stuff; thanks for helping to spread the word!

  • Thank Mark,
    I was attacked by a similar mechanism. One contact who has had financial dealing with me sent me a pdf attachment. When I clicked the attachment, I was asked to enter my Gmail password to unlock it. But I reasoned that no one has the right to ask me to use my Gmail password to unlock some file. I took another look at the email the sender used and it was that of the acquaintance. I had to arrive at a conclusion that the guy's email has been compromised.
    Something similar to what you described has also happened earlier. But in this case the sender is not known to me. So, I refused to log in when the log in page was presented, upon clicking the attachment the scammer sent me. I almost fell prey to it.

    • Thanks for sharing. Glad you didn't fall for it. Send us screenshots if you have any.

  • Won't the Gmail user get an email from Gmail alerting that there has been a login from a new browser? Or do the hackers have a workaround for that?

    • If the compromised account is being monitored, then the hackers can simply delete the alert before you have a chance to see it. (Or, maybe they can turn of the alerts in settings.) This would only warn you if you had a separate email account enabled for alerts.

    • Make a bookmark in your browser and ONLY USE IT for connecting to GMAIL. That way you will ALWAYS avoid a redirect by some trick or "hidden" URL in an email.

  • I can post my username and password on every bill board worldwide, I can even give it to you, unless you have my phone you won't get anywhere. This is not really a big issue and Gmail knows that.

    GET 2 FACTOR SIGN IN and go to sleep every night like a baby.

    I have 2 factor sign in for Gmail & Hotmail and never had an issue, hackers would have to come to my country steal my phone and go back and try, when I try to sign in from an unknown computer 2 factor sign in kicks in, sure it takes a few seconds longer but at least I'm safe.

  • One thing you can do (in Gmail in a browser) to see if you've been hacked is to check your login activity. Visit https://support.google.com/mail/answer/45938?hl=en for info ... it's basically scroll to the bottom of your inbox and click "Details" (very small in the far lower right hand corner of the screen). This will show you all currently active sessions as well as your recent login history. If you see active logins from unknown sources, you can force close them. If you see any logins in your history from places you don't know, you may have been hacked.

    • Thanks Ken. I used your comment to update the post almost verbatim. Very much appreciated.

      Mark.

    • Thank you for this info. Checking my recent activity in Gmail only seems to go back to a few hours. Do you know if / where we can see more of the history?

  • Thanks for the informative post,

    I should add; One of the best ways to protect yourself against this attack is to add 2-factor authentication to your account, and use Google Authenticator application with your phone.

    You can find more information here https://www.google.com/landing/2step/

    This will almost guarantee your safety, since a new login from a new browser will trigger 2-factor process (they will not have your cookie), resulting in your password being useless.

    Regards
    Stuart

  • Several versions ago Safari started doing this "helpful" little thing of not showing the full URL of whatever site you're on in the address bar. I can think of NO advantage to it and as this article points out there are severe disadvantages. If you use Safari, go to Preferences > Advanced and click "Show full address."

    • Unfortunately, in their "wisdom" Apple have removed this option in Safari for iPads. This is certainly the case for iOS 9 upwards

  • Thank you for this information.

  • I was able to reproduce the URL aspect of the hack easily enough, but when I added the hack code to a link in an email and sent it from server-side code via PHP, Gmail stripped the link from the email.

    All other links were left unchanged.

    I tried several escape combinations but Gmail either removed the link or re-wrote the URL appending the sender domain, which broke the hack.

    The source code was correct, so the code wasn't modified by my SMTP during the send, so it must have been Gmail that stripped the hacked code.

    • There's no requirement that the hackers or victims use Gmail, so Google's protection in this regard might not be implemented by other email providers.

  • I'm curious how this type of email would appear in an email client such as Outlook, rather than on the web? Will it get through as a legitimate email?

    Thanks for the post.

  • Thanks Mark for another great post. Shared on my Fanpage.
    All best,
    Paul

  • I've read about this a while ago, but hadn't thought it was "in the wild".

    I'll translate the easiest to understand (least technical, most to-the-point) parts of this article to Dutch and place it on my Facebook tomorrow to warn my less technically inclined friends and family.

    • Thanks Roland. Post the link here when you have done that.

  • If you are using a password manager like LastPass, would it fail to enter your username/password if it was a specious URL?

    • If you copy and paste the password you will still be caught by this. If you are using a browser plugin then it may behave differently.

      Mark.

  • Great info. I surely will keep my eyes open for this.

  • Thanks so much for keeping us apprised of these sorts of things, Mark. I've passed the link to this article along to the head of security of my current client's company, and shared it on FB.

  • so I put in my all my email addresses to haveibeenpwned

    one of them came back with this message

    "Oh no — pwned!
    Pwned on 1 breached site and found no pastes (subscribe to search sensitive breaches)

    How do I figure that out and what do I do. Does that mean they have access to everything now? How do I know how long ago that happened?

    • Paula, you should consider:

      1. How central to your online presence is the account for that breached site? If it were your main email account, for example, that's rather crucial and has great potential for harm. But an account that was merely established to gain access to something and stored very little personal / sensitive information would be of less concern.

      2. Did you use the password for the breached login with any other site logins? Re-using passwords is a bad habit of many internet users, and can be stopped by simply using a password manager to create and store long, unique passwords for every login you have. Be sure to change the password (and any other authentication measures like security questions, recovery codes, etc.) for the breached site as well as any sites for which you used the same password.

      Your answers to those two questions I've asked correlate to your question "does that mean they have access to everything now?" It's unlikely unless a critical account was breached or you tend to use the same password or just a few passwords across all your online accounts.

      To answer your question about time of breach, you can probably simply Google "[name of breached service] breach" to find articles about it. Many high-profile breaches will be mentioned by several websites and reading such material may give you a clearer picture of when it may have occurred.

  • only works on single layer security accounts. If you sign in using cell phone verification. this should stop this from happening.

  • May we use some of your images in our own blog? We will provide a credit and link to this article.

    • Sure.

  • Haven't seen anything unusual lately. I usually don't log out after I check my emails so I don't know if this keeps out access by others.

  • Any idea if this same technique works on company emails using google for business?

    • Yes it does.

  • Just one more recommendation for the site https://haveibeenpwned.com/
    It's a good reputable site. Don't be surprised if your email shows up on the list. Be sure to change your password for the site listed and setting up 2 factor authenication, at least for a while to make sure they aren't getting back in.

    • HIBP is a great tool but is only useful in instances where leaked/compromised information has been published, vetted, verified and uploaded.

      For this reason it's only really useful for large data breaches against organisations, not phishing attacks on users (where attackers will generally keep compromised details to themselves).

  • WOW! My website tech just sent this. Scary! Thanks for the info.

  • Anything mentioned before the http(s) part of any URL should be an alert that the page you're about to view may not be valid/verified. In addition - if you've received an email in your Gmail account, then you're already signed in - so to click on a link that requires you to sign in again should be another red flag that something's not right. It all seems innocent and we can easily get caught up in the process - but small precautionary actions like looking at the URL can be the difference between safe browsing and getting hacked. On the flip side - if your account is compromised, it is imperative to change your login details (primarily passwords.) Also, if you think it's appropriate - perhaps share on your social channels that your account has been compromised and that your contacts should ignore messages from your account for the next little while (or something to that effect.)

    • This advice is all well and good in hindsight, but:

      1) "Logging in again" under certain circumstances is a common privacy/security feature on many services.
      2) The fact that it doesn't target an external website but the website you're *already on* means that the cue to check the validity of the link (which is usually being redirected to an external site) is removed.

      This attack is particularly malicious because it acknowledges the behavioural habits of even vigilant and security-savvy folks and finds a crack in them.

  • Hi Mark,

    nice article which I'll share with my readers. It also reminds me of a post SANS.ORG did this week about realtors being targeted. It too had a page where people logged in. More details here:

    https://isc.sans.edu/forums/diary/Realtors+Be+Aware+You+Are+a+Target/21911/

  • I know it's not your site, but what can I do with an email address that is being reported as having been pwned on https://haveibeenpwned.com/, start using a new one? If I have changed my password, and am not particularly disturbed by the increased number of spam, am I ok (well, I don't love it, but what can I do...?). Also, what can hackers do with usernames other than having it as one less thing to guess?

    • I have the same question Ben does. I've never resigned into any accounts but two of my three accounts (not gmail, ironically) have been pwned.

  • The security on Gmail is so friggin' secure that I have found myself locked out of my own primary account with no possible way to get back in because Google tells me they can't verify my identity. I had to set up an alternate identity with an alternate persona and now you're telling me that may have been hacked? Go hackers! Moira LaPorte wishes you all the best of luck figuring out who what when where and how anybody is on the system I am using now. If you do figure it out, please let me know.

  • A good reason to never leave email on a server. Use an email client like Thunderbird to connect to mail server, POP access, and download all mail to it, and have it checked to "NOT LEAVE MAIL ON SERVER". If IMAP access is the only part allowed, download entire messages and not just headers in thunderbird, "MOVE TO" another account you create in Thunderbird only, then on the IMAP account delete all messages in the Trash, go to Trash & immediately delete them. This will cause them all to be moved and deleted on the webserver too.

    Safer is buy a domain name, most come with a free email account you set up on them. These hackers don't much go for individual smalltime domain names, but the large ones from yahoo, gmail, aol, etc.

  • Great post again
    Im always telling clients to watch this more so know what with wordpress and Google moving more to https site for better seo.

    It amazes me the amount of friends and clients that roll their eyes at me to thinking yes yes we know but never take action....

    Same when i constant remind them backup backup then backup again. They think im obsessed..?

  • Sharing this.

    Also thinking through the two-factor authentication (since I have it turned on). Wrapping my brain around that piece.

    If this happened to me and I clicked the image, it would take me to a login page, but Google would NOT ask me for a 2nd authentication at that point because I would be logging in on a browser I already use.

    Depending upon how the hack happens ... if the hackers could be in my account at that exact point, they could change the settings in my GMail to no longer require two-factor authentication. Then any time they logged in after that, it wouldn't send a message because no second step would be required.

    If, however, the hack simply sends them my login credentials, which they tried to use later, then since they are on a different browser, the 2-factor authentication should kick in, send me a message when they tried to log in at some point later, and I would know something was wrong.

    I guess it just depends upon how they have their hack structured, if they're immediately in the account live and making changes to the settings, whether that is done by software or a person. I'd think if they can write up a hack, they would be able to make that happen too, at which point the two-factor authentication couldn't help.

  • Just thought I'd share this: Chrome has different ways of displaying the security status.
    • Sites with EV-certificates seem to have a green lock-icon followed by "[The name of the certificate holder | https://....".
    • Sites with 'regular' certificates have a green lock-icon followed by "Secure | https://....".
    In both these cases, everything before the "://" is green (eg. everything after https is black).
    • Sites without a certificate have a black "i in a circle" icon followed by the URL.

    If, like me, you use Chrome's incognito windows a lot, the icons are white instead of green, making it a bit harder to see whether a site is secure or not.

    Internet Explorer 11 is similar in behaviour: EV-certificate secured sites get an entirely green address bar, displaying the certificate holder's name after the lock-icon.
    Regular certificate secured sites (Google/Gmail and Outlook.com for example) have a white address bar that only show a lock-icon.
    The icon gets shown on the far right in the address bar though, so it's a little less obvious whether you're looking at a secured site or not than it is in Chrome.

    I haven't checked Firefox yet, but I'm sure that uses a similar method as what Chrome and IE use.

  • If i was affected, how do I fix it? Change password and enable two step verification? Anything else I need to do

    • See the blog post.

    • Thanks!

  • Yup. This happened to me about two years ago. The hacker got into my email account found an email I'd sent to my bank requesting a wire be sent to a vendor. They edited it to show the wire going to someone else and took over $20,000 from my company. The bank failed to check the authenticity and didn't get my signature for the wire (their error). Fortunately the bank corrected the error at their own cost. To my knowledge, the hacker was never caught.

  • Thank you for taking the time to research this phishing hack on Gmail accounts and then translated in a way that even an average user could understand. Greatly appreciate.

  • That's clever on the part of the hackers.
    This page goes from discussing the mechanics of the phishing process to the appearance of the address. The first is about gmail. The second is about the browser. I assume Google's Chrome is being discussed.
    Browsers should make it easy to see the domain hosting the page of the moment. All browsers, not just Chrome. A dedicated domain display window would accomplish that.

  • Thanks for constantly keeping us up to date with all the Wordpress issues Mark!

  • When I started reading this I realized that I had been targeted. I got as far as the second sign in and smelled a rat. After some thought I used the old "turn it off, then turn it back on" fix from much earlier days. As far as I know it worked, but I am checking the haveibeenpwned website.
    Thank you for waknig me up.

  • Mark-

    I read your blog and followed instructions. I set up the 2- factor authentication.

    My question is how do I know what the breach was? I had one

    I am assuming now that I changed everything they no longer have access? What about the info they have on hand?

  • I would just like to thank you Mark for a most informative piece. I must say even a non technical guy like me could understand about the attacks. I also checked my accounts on that website you suggested.

  • I noticed two logins from the East coast over the last two days -- and I'm on the West coast. When I clicked for more information, it turns out the login is for UnrollMe, which culls newsletter signups into one digest.

    Could a service like that compromise security and make you more susceptible to hacking? Details:

    "name: Unroll.me Email Client"
    "support-url: mailto:Support@Unroll.me"
    "vendor: Unroll.me"
    "version: Unroll.me Version 1.0"
    OAuth Domain Name:

  • Thanks a lot for the post Mark. Very helpful, so I've shared with my friends as well... (y)

  • Does multifactor authentication (e.g. using the google authenticator app on a smartphone) just completely nullify this?

  • Another thing browsers should do is to make warnings about insecure web forms mandatory ie you can't disable them.

  • Google also offers additional authentication methods such as two-factor authentication using voice or text delivered codes and the Google Authenticator app.

  • Much appreciation for all that you do for the Wordpress community and beyond... This question has nagged me since your posting...

    If a party accessed in this manner a google account that has webmaster tools and analytics as a part of it, could they then access or hack into Wordpress sites that are engaged with tools and analytics, perhaps through API keys or in some other way...?

  • Mark,

    I work in the account security department of a large online company, and I can sadly confirm that 2-factor authentication (2FA) is not the 100% foolproof account protection many people believe it to be. It can be circumvented with well-designed phishing websites which combine the disguise of a web forgery, a simple web bot, and social engineering. It is called a Man-In-The-Middle phishing attack.

    Here's a brief example of how it could work:

    1) Start with a phishing example like the one described here. You've stumbled into a gmail login page which is really a phishing forgery, and you enter your email/password.
    2) The phish site engages an automated program (a bot) which uses your credentials and attempts to log in to your real gmail, where it encounters a 2FA challenge.
    3) The phish site mirrors this challenge to you, prompting you to send a 2FA code to your phone for security.
    4) You push the button to send a code, and the bot logging into your gmail mirrors this action simultaneously.
    5) You receive a *real* 2FA code via text, but you're still on the phish website, which is now asking you for the code.
    6) You unknowingly give your "secure" 2FA code to the phishing site, which forwards the code to its bot counterpart patiently waiting at the 2FA challenge prompt.
    7) The 2FA security of your account crumbles in the face of a legit code, and your gmail has now been compromised.

    If the phishers are really smart, their forgery site will then seamlessly redirect you back to your real gmail account (which you never logged out of) and you'll be completely unaware that you were just bamboozled. The less sophisticated phish sites will just keep giving you invalid credential errors, which should eventually alarm even the most unaware user.

    These phishing systems are so efficient that the whole process only takes seconds, so it is effective even with 2FA security that utilizes short-life codes. It also works with dongle/app authentication tools, which are the most common methods of secondary account security in use today. We should now allow ourselves to be lulled into a false sense of security, because ensuring accounts stay in our control is ultimately our own responsibility. Listen to Mark's wise advice, pay attention to URLs when you log in to sensitive accounts, and don't let yourself be a victim.

    Another piece of advice I would give anyone wanting to be proactive about preventing an account compromise is this: if you ever click on a link/image/whatever and are suddenly presented with a login page, BE VERY SUSPICIOUS. If you know you already logged in to your account, but you're suddenly being asked to log in again, it should raise some flags. Check that URL to be sure you're where you belong.

    It is unfortunate that 2FA security has been advertised as a complete solution by so many people, giving a false sense of security to the masses. This method of circumventing 2FA is so seamless that I frequently encounter customers who don't believe me when I tell them their account information was phished, insisting that our company must have somehow been hacked instead. Even intelligent Internet-savvy users will try to deny any possibility they could have been fooled. Nobody should think they are above falling for one of these scams. Bad guys are always looking for better and more effective ways of scamming anyone who lets their guard down.

    I hope this information helps to educate your readers, and encourage them to take more proactive measures to keep themselves safe and secure in an increasingly digital and dangerous world.

    -Justin

    • In this case, if a person has 2 gmail accounts, perhaps the phishing entity will now know of the 2nd one? Or will?
      I have encountered something like this in Chrome, in AvastSafeZone, and in Explorer--is that possible?
      Having a hard time getting anything done. I was scared to go beyond the first prompt, knowing it to be weird (a good sign of things gone wrong) and tried for a workaround, asked in a group and got this addy, and decided just to ditch Chrome until it got its life straightened out. Now in AvastSafeZone and finding the same thing. I'm going nuts. Explorer won't even let me in. Ha!
      In each place, I'm at the point of not going beyond the first request to re-sing in to gmail. Is it safe just to work in, say, facebook? I do not know enough even to understand some of the terms, here, but I know when stuff is weird... :'(

    • Oh, AND... I forgot to say Explorer tells me my password to gmail was changed 30 hours ago and that it will send a one-time six-digit code numeral to my other account, into which I cannot gain access due to their not knowing it exists when I try to go there. Arrgh.
      In both cases of my encountering this problem, I was trying to close an email from a, trusted entity.
      First time was wp help.
      Second time I think I remember was a friend.
      Wish I could say I feel totally confident giving my ph no to folks... :'(

  • Thanks a lot for the great article! If you're using Chrome, Google has a plugin called Password Alert to help notify you about entering your password on incorrect domains. Seems to offer a nice second line of defence, along with 2FA (and particularly if you're concerned about time-of-use phishing attacks).

    "If you enter your Gmail or Google for Work password into anywhere other than accounts.google.com, you’ll receive an alert, so you can change your password if needed."

    • I'm curious of that plugin would work because in this case it's not a domain you're entering your password on.

  • I had one like the described but it came from supposedly Apple. Almost had me till I spotted passwort spelt incorrectly, then I got suspicious.

  • I accidentally clicked one star but couldn't change it to the five stars I wanted to give! Sorry! Thanks for posting this very useful information!

  • I don't believe technical users of any credence would be caught out by this. I mean, the URL doesn't start with the right pattern and it's not as ure. So who exactly are these technical people who don't check even the most basic things?

  • GMail developers should consider blocking data URIs, or showing very big alerts when they are clicked.

  • can a browser be made to detect the white-space, and warn of the extra text at the right (which I assume is not ordinarily visible unless you scroll to it)?

  • You mention that people should look for the protocol and then the hostname, but you've made it too simple, which makes it wrong. Instead, people need to look for "https://accounts.google.com/" exactly (with the '/' AFTER the hostname. Your instructions tell people something like "https://accounts.google.com.wordfence.com" would be an OK URL, when clearly, it is not.

    Then you turn to describing how Google could fix this, but Google can't fix things they have no control over. People also use Safari, Internet Explorer and Firefox. They won't necessarily know from your article that your comments don't apply to their browser.

    You go on to tell people they can check their account via the following: "Visit https://support.google.com/mail/answer/45938?hl=en for info. To use this feature, scroll to the bottom of your inbox and click “Details” (very small in the far lower right hand corner of the screen)." I've tried that - there is not "Details" link anywhere on the page. Maybe it's a Chrome thing? Maybe the link is out of date? Whatever the reason, it doesn't work for everyone.

    Thanks for the heads-up!

    • Also, could you send me one of these phishing emails? I'd like to do further analysis as well.

      • I would appreciate if you would send me a copy of one of these phishing emails so I can do some analysis as well.

  • Close the tab. Close the browser. Tweak ur IP. The reopen solved

  • You wrote: "During this attack, a user sees neither green nor red. They see ordinary black text. That is why this attack is so effective."

    I'd say that's precisely the reason why this attack can only fool people who are not careful about security. If you're on Gmail, you see green, period. No green, no Gmail, get out. Google's response (which you disagree with) says exactly that: pay attention to the address bar!

    • Many people are color blind so red, green colors are indistinguishable from each other!

  • It might help us to recognize this kind of thing if Google and the other webmail services adopted Extended Validation TLS certificates. It would let them control a sliver of the real estate they call "trusted" to enhance trust.

    For example, compare the location bar on Troy Hunt's https://haveibeenpwned.com/ web site with the one on, say, this web site, or on gmail or outlook.com. The former one announces the name and owner of the web site.

    It costs more to get one of these extended validation certs. But they might help people recognize attacks by cybercrooks.

  • Thanks for this info. Do you have a favourite password storage site? I can't remember all my passwords!

  • Great article; yet, clickhappy users will continue operating with blinders until there is a vendor patch to resolve pebkac (When the computer is fine, but the issue is because Problem Exists Between Keyboard And Chair (around 80% of the time)).

  • Thanks for this. I'll pass this on to my clients and family members.

    One quibble. You write, "Changing your password every few months is good practice in general." Not so. Merely changing your password periodically does nothing at all to increase security, if you don't also increase the password's entropy (length and/or complexity) when you change it. In other words, changing from "R/ebit18" to "o'Harq15" is pretty pointless. On the other hand, changing from "R/rbit18" to "lettle r/ebit inde hotch!" would be worth doing, as the 25-character password is considerably more secure than the 8-character password. But once you've got a long, strong password, there's no security benefit to changing it -- unless you think it's been compromised.

    Commenter Justin quite rightly warns that two-factor authentication is not bulletproof. But two-factor authentication is still a powerful extra layer of protection.

    So:

    — Use long strong passwords, unique for every site. Use a password manager like 1Password or LastPass.

    — Enable two-factor or two-step authentication wherever it's available, which in 2017 is nearly everywhere (Google, Dropbox, bank account, credit cards, PayPal, etc.).

    — Always watch that location field in your browser, as instructed in the article above.

    It's a scary world out there.

  • Thanks for the follow and feedback from google shared here!!
    This phishing activity is so spread since one can't detect if they are a victim. The measures mention here are very helpful and having shared with my team, i feel abit at home.
    Again thanks Mark!!

  • If every non https page show a "non secure" warning, users will ignore it after a while. This paranoid aproach is very dangerous, because users will ignore further warnings if we say to them that everything is non secure.

    Humans assimilate the common risks as "normal" if nothing happens, everyone know this.

  • In this case, a password manager is a great fist line of defense. For me it is great because Roboform will only show the available passcodes for a site where the URL matches. In this case, it would not even show up even if I get lazy and do not look at the bar. But, the human factor is one that needs to be improved because this is one of many issues where we are prone to being lazy and not paying attention. I think education is a big plus even for the novice. Just like driving a car, you need to know the rules of the road and be prepared for many things that are unpredictable. I have all my clients educated to always select no on any pop ups if they are unsure so this is the next iteration of being careful. I do not think that you can account for every scenario. On another note, e-mail servers can be trained to look for certain items in the email and classify them as junk. This will probably yield to more false positives but will be a good step in minimizing what we see.

  • I am very, very pleased that you, Google, Mozilla and other pillars of the internet are working on securing the internet from the inside out. Thanks to you all.

  • One of Gmail's recent security enhancements rather plays into the phisher's hands - they have got users accustomed to frequently being asked to log in again.

  • Google has made users much more vulnerable through their "one account" approach. If a user falls for the phishing attack, they don't just risk their email being seen or malware potentially getting on their machine and they don't just risk spreading the malice. They risk their YouTube, Drive, Apps/G-Suite, Google Pay, Google Play, Project Fi, Google Voice, Google+ and many more accounts simultaneously. And if two factor isn't an option for email alone, they can't use it for any of those other services as it is a Google Account level setting. Phone, tablet, TV, PC/Mac and more may be using the same account and become vulnerable via access to the single account.

    The convenience / necessity of single sign-in access to many of these services may well be worth more than the security benefit of more separation but it does create much more risk. To make matters worse, these attacks vary which Google service they pretend to be signing in to along with varying the context of the content of the message or attachment name based on what they find in the outbox of the user they compromise and spread through. So separating email password from everything else, for example, to isolate the point of phishing attacks, doesn't mean the user won't give up their drive/accounts password anyway when prompted to do something related to the legitimate looking document request.

  • I am concerned about over reacting on the machine side. I have regular blocking of my outbound emails by "Dmarc," -even when sending to the desk behind me and on the same email server. Dmarc is a group of larger ISP's as I understand it. I believe Google is a participant. Dmarc filtered me out regularly. I am having somewhat better luck using Thunderbird for email through my own domain's email server.

  • Keep in mind that Google supports FIDO U2F, which is immune to these attacks.

    • Just want to add, for those who don't understand your comment: FIDO U2F is a hardware two factor authentication standard. YubiKey is an example of a hardware device based on this standard.

  • Thanks as always for your proactivity on security issues.There are a LOT of previous comments, so forgive me if anyone has already said this, but why is anyone using Gmail in the first place?

    That's a constant security risk all on its own, not only to Gmail users, but to everyone they correspond with, Gmail user or not. Gmail scans the full content of ALL email, outgoing AND incoming.

    Google's defense of this is that it's all automated, and just used to serve you relevant ads, but think about what that means: ANYTHING you discuss in email is a keyword in a file with your name on it on a Google server somewhere.

    Even if you trust Google intentions, and feel it's a fair trade-off for free email (which your Internet Service Provider probably offers for free without scanning your mail), all it takes is one disgruntled Google employee... Not to mention that non-gmail users you correspond with are never asked whether they consent to this.

    Phishing scams are usually a short-term risk, but Gmail users should be aware that just using Gmail poses another set of risks every day.

  • It looks live they have evolved. I got the very dubious Dropbox link this morning and instead of the data link, it kicked over to another website with a php script running, so even just looking at the initial link in GMail won't save you.

  • Does this impact devices without an browser address bar, phones, tablets... Many of us have email directed to alternate devices.

  • Hi Mark - At this moment I have a pop up screen asking me to sign in when I am already signed in to my Gmail acct. However, I can't see a URL for the pop-up. I also heard from someone else who I directed to your article that he discovered multiple Gmail logins to his Google account while he was sleeping. How can I get to the bottom of these 2 situations to see if they are both indications of Gmail hacking?

  • What do you do if this has happened to you already. And the attackers have locked you out of your email?

  • Thanks to OP and all commenters for a lot of food for thought.
    I remember something similar from more than 10 years ago which involved stuff hidden off right end of address bar. I wondered why browsers dont compress that whitespace, should be syntactically equivalent, and then we would see something was weird.

  • Great work as always, Mark.

    We focused on this post during our recent episode regarding Phishing Scams. The video can be found here: https://category5.tv/shows/clips_tech/episode/487-phishing-scams-2017/

    Keep up the great work, and thanks for helping enlighten users on the risks that are out there!

    Robbie

    • Cool, thanks Robbie.

  • Mark, would you be willing to share the sample? Thanks! Jody

    • Hi Jody,

      Thanks for reaching out. Will reply via email.

      Mark.

      • Mark, if you could, I would like to see a working example of this as well.

        Bill

  • What about the 'mouseover' or 'hoverover' technique?

    • I use the mouse-over technique myself and it reveals a lot about the source.

  • Late to the party on this one, but if you don't click on the attachment in the first place, then you've prevented the attack before you ever see the bogus Google login screen.

    And you shouldn't be clicking on it.

    You should never open email attachments in your personal email unless:
    a) you're expecting them, or
    b) there's corroborating text from the sender in the email about the attachment that is clearly the person you think the email's from, and not a bot.

    A couple weeks ago, I called up *my wife* to confirm that an email with no text, just an attachment, was really from her. It was, but that's how serious I am about this.

    This doesn't necessarily apply to emails within your employer's internal email system; where stronger safeguards may be in place from the get-go. But even in that environment, a little caution never hurts.