PINDROP BLOG

Gmail Phishing Campaign Racking Up Victims

There is a clever, well-crafted phishing campaign targeting Gmail users that includes a fake login page that exactly mimics the real thing to trick victims into entering their credentials.

The campaign has been going on for some time but it recently began to gain attention after researchers analyzed it and broke down the techniques the attackers are using. The general setup is pretty much the same as most phishing campaigns, with an email coming from what appears to be a familiar address. In this case, the message actually is coming from someone in the victim’s address book, a user whose account has been compromised already. The email has a subject line that has been used in emails between the parties before and includes an attachment that looks like an image.

If the victim clicks on the image to get a preview of the attachment, it opens a new tab in the browser with an exact replica of the Gmail login page. The only giveaway that it’s a fake is the information in the browser’s address bar. Rather than a typical Gmail URL starting with https://, the address has a data URI at the beginning and actually includes a large text file at the end. If the victim doesn’t look closely at the address bar and enters her credentials, it’s game over.

“This phishing technique uses a ‘data URI’ to include a complete file in the browser location bar.”

“The attackers signing into your account happens very quickly. It may be automated or they may have a team standing by to process accounts as they are compromised. Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot,” Mark Maunder of WordFence wrote in an analysis of the campaign.

“Now that they control your email address, they could also compromise a wide variety of other services that you use by using the password reset mechanism including other email accounts, any SaaS services you use and much more.”

The key to the attack is the use of the extra information in the address bar. After the data URI at the beginning of the string, there is the actual address for the Gmail login page, “accounts.google.com”. But at the tail end of the address is a huge chunk of text that forces the browser to open the new tab.

“This phishing technique uses something called a ‘data URI’ to include a complete file in the browser location bar. When you glance up at the browser location bar and see ‘data:text/html…..’ that is actually a very long string of text,” Maunder said.

The attack is effective for several reasons aside from the URL trickery. Sending the victim an email from a contact’s account with a subject line she’s seen previously from that person is the foot in the door. The use of the attachment, which users are conditioned to click on for a preview, is the next step, and then the deception with the URL structure is the final ingredient.

Google is aware of the problem and advises users to turn on two-step verification to protect against account takeovers like this.

Image: Matteo X, CC By license.