According to security researchers, the newly discovered attack takes users to a well-disguised website that mimics the Gmail login page. Once the user enters their password, attackers gain access to their emails and contact list.
Mark Maunder, founder of WordPress security firm Wordfence, explained that the sophisticated phishing scam is spread using emails sent from the affected account to the user’s contact list.
“The way the attack works is that an attacker will send an email to your Gmail account. That email may come from someone you know who has had their account hacked using this technique. It may also include something that looks like an image of an attachment you recognize from the sender,” Maunder said in a blog post.
“You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again.”
The problem is, the malicious web link is very well-disguised and even includes “accounts.google.com” in the URL. According to screenshots obtained by Maunder, the webpage mimics Google’s official Gmail sign-in page almost identically.
“Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot,” said Maunder.
“Now that they control your email address, they could also compromise a wide variety of other services that you use by using the password reset mechanism including other email accounts.”
Once attackers have access to your account they begin sending the phishing scam to your contacts on your behalf.
According to Forbes, attackers will go as far as to find an attachment you have previously sent to your contacts and craft an email that includes an image of the attachment you previously sent. But, when your contact clicks on that image, it will take them to that convincing fraudulent login page.
“We’re aware of this issue and continue to strengthen our defenses against it,” a Google spokesperson told Global News.
“We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.”
How to protect yourself
When it comes to phishing scams, experts normally advise users never to click a link or attachment included in a suspicious email. However, because this attack uses your account to spread the phishing scam, your contacts might not think twice about clicking on a link or attachment from you.
Often attackers will use a legitimate web address in the hyperlinked text of the email, but once you click on the link it takes you to a malicious website. If you hover your mouse over the link – without clicking on it – a small yellow box will appear showing the actual web address the link will take you to. If the link doesn’t match the hyperlinked text, it’s likely malicious.
In this instance, the link or attachment will take you to a separate login window. While it might look legitimate, Maunder recommends taking a close look at the URL before entering your password.
“Make sure there is nothing before the hostname ‘accounts.google.com’ other than ‘https://’ and the lock symbol. You should also take special note of the green color and lock symbol that appears on the left,” he said.
To prevent yourself from being affected, you can also turn on two-step authentication for your Gmail account. That means a code, sent to your phone via text message, must be entered every time you log in.
If you are worried you may have been affected by this scam already, you should change your password immediately.
Google also allows you to see your account login activity to see the dates and times your account may have been accessed.