A newly-detected Gmail phishing attack sees criminals hack and then rifle through inboxes to target account owners’ contacts with thoroughly convincing fake emails. The new attack uses the file names of sent attachments and applies that name into new attachments that appear to be PDFs but are actually images that, when clicked, send victims to phishing pages. IT security experts from DomainTools, Lieberman Software, ESET, Agari and Proofpoint discuss below.
Kyle Wilhoit, Senior Security Researcher at DomainTools:
“This new attack against users with Gmail accounts is clever and dangerously successful. The fact that the attackers were seeking uniformity with Google’s infrastructure isn’t necessarily new- but the amount of detail they put into mimicking valid Google infrastructure is impressive.
The main point in this style of attack is to use two-factor authentication with Gmail. Having two-factor authentication would make this a somewhat moot compromise. In addition, don’t use shared passwords- imagine if your Gmail account password was compromised via this attack and your banking credentials were the same…”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“Too many people see two step verification, Google’s multi-factor authentication, as being too inconvenient, but hopefully the lesson this new Google phishing attack teaches is how inconvenient it is for the bad guys. After all the sophisticated approaches these bad guys have used in this attack, even if someone falls for it they are safe if they have two step verification turned on.
As many interesting new tricks are employed in this phishing scheme the basic form is as old as spying of any kind. Bad guys break into the first victims’ emails, but then the attacks get harder to resist for the next person since what they get is a note from someone they know, with a subject they’ve seen before – just about everyone would click the attachment is those circumstances. We security pros have been telling folks for years not to trust attachments unless you know the person and the conversation seems plausible and this attack will do both of those.”
Mark James, IT Security Specialist at ESET:
“Phishing attacks are now a daily occurrence for users and most will spot a large majority of them as exactly that. With “dear user” and poor grammar (or translation) they normally end up in the bin. However, the bad guys only need to be successful once to make their efforts worthwhile. In order for us to be safe we have to stop 100% of malware and that includes phishing attacks.
When these emails start taking on the form of our daily go-to apps like Apple or Google then it’s no surprise sometimes even the enlighten get fooled. Phishing is getting harder to spot, the emails are getting smarter and every now and again even the “techies” have to stop and think about clicking that link or opening that attachment.
But all is not lost – using technology like 2FA or 2 Step verification could help to protect your account. It might not stop you from inadvertently sharing your login credentials but it will stop someone else from using them and that’s the main thing.”
Dr Markus Jakobsson, Chief Scientist at Agari:
“This latest phishing campaign emphasises how account take-over has become one of the most valuable goals for cyber criminals.
Covertly taking control of an email account is a holy grail for an attacker, granting them a huge amount of data and targets – and an account to use as a vector.
Once they have access, they can harvest a huge amount of personal information for future attacks, building a profile that will enable them to easily target other data such as financial details. Any service registered to the email address that does not use two-factor authentication to verify user identity can also be easily taken over, as the attacker can simply request a new password using the stolen address.
Everyone in the address book can also be harvested for future scams, from friends and family to colleagues and professional contacts. Worse, they can be targeted directly using the compromised account, taking advantage of their trust in an apparently legitimate email.
The level of complexity going into the email attack means that it’s increasingly unlikely for users to spot this new wave of attacks themselves. Emails sent from hijacked accounts can only be detected if the user notices something out of character about the message.
Instead, organisations and email providers themselves will need to develop more sophisticated ways of preventing such attacks from reaching their intended targets.”
Bryan Burns, Vice President of Threat Research at Proofpoint:
“Gmail/gdocs phishing is very common and unfortunately it’s something we’ve seen for years. It is indeed a powerful phishing vector, because the phisher can then send email from that account using the user’s email signature and contact list, which makes the follow-on messages extremely convincing.
“We also see similar attacks where attackers impersonate other popular mail hosting systems such as O365—and that is in addition to many other services, including Dropbox, Drive and more. Those attacks are just as potent (if not more so). In fact, credential phishing overall is now the dominant URL-based threat we see. And the damage can be lasting and have real-world consequences.
“This attack suggests attackers are finding it easier to trick people than machines – and based on the prevalence of macro-based downloaders for large-scale campaigns (like those used to deliver Locky ransomware), and the increase in business email compromise-type attacks, it seems likely that credential phishing will continue to be a dominant threat vector.”