Sysadmin at a school: we use GMail for our students and faculty, and we got hit by this hard right before the holiday break. Three employees and a handful of students all got hit by the attack within a two hour period. It's the most sophisticated attack I've seen. The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.<p>For example, they went into one student's account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.<p>They were using bit.ly to obscure the address (in Russia). We had to take our whole mail system down for a few hours while we cleaned it up.
I reported this a back in March 2016, and Google said it was not an issue.<p>Analysed whole attack here: <a href="https://gist.github.com/timruffles/5c76d2b61c88188e77f6" rel="nofollow">https://gist.github.com/timruffles/5c76d2b61c88188e77f6</a><p>This was the response I got:<p>> The address bar remains one of the few trusted UI components of the browsers and is the only one that can be relied upon as to what origin are the users currently visiting. If the users pay no attention to the address bar, phishing and spoofing attack are - obviously - trivial. Unfortunately that's how the web works, and any fix that would to try to e.g. detect phishing pages based on their look would be easily bypassable in hundreds of ways. The data: URL part here is not that important as you could have a phishing on any http[s] page just as well.
Had the same exact experience in August.<p>Amazing thing was I KNEW the email was phishing. I was asked to look at it by someone internally who was suspicious. I forwarded it to a Gmail account I use for dodgy items. I fired up a VM and logged in to the Gmail account. I looked at the email. I briefly examined the raw message (too briefly). Then I clicked on what I still thought was a Google Drive attachment.<p>My first thought was "oh I've been logged out of Gmail for some reason". I was just about to login again when I decided to double check the URL and finally saw what was going on.<p>I think most normal users would be very vulnerable to this. It's very subtle. Luckily the guy in accounts is paranoid.
I think its naive to believe that even the most tech savvy are immune to phishing. People get tired, hurried, stressed - and during those moments anyone's guard can be let down.
The only two things that I think could have prevented me from falling for this is: I don't have images loaded by default for unknown senders, and LastPass wouldn't match the domain and therefore wouldn't show the button to autocomplete on the password box.<p>Depending on how observant I'd be at the moment, I might check the URL bar and see something fishy. But I could fall for this, which is worrying.
<p><pre><code> <a href="data:text/html,valid_looking_url <script src=data:text/html;base64,YWxlcnQoMTIzKQ==></script>">clickme</a>
</code></pre>
Or if you want to reproduce it console:<p><pre><code> a = document.createElement('a');
a.href = 'data:text/html,valid_looking_url <script src=data:text/html;base64,YWxlcnQoMTIzKQ==></script>';
a.textContent = 'clickme';
a.style.position = 'fixed';
a.style.left = 0;
a.style.top = 0;
a.style.zIndex = 9999;
document.body.appendChild(a);
</code></pre>
The "valid_looking_url" will appear in document but it can be hidden from page by script or made transparent using css
Thanks for sharing this - this is fiendishly clever. Even with all the investment in infosec, we're still woefully unprepared to deal with this type of attack. We need to start thinking about new approaches to protect users.
There is also a password alert chrome plugin by google [0].<p>If you ever enter your google password on any domain other than accounts.google.com.
It will immediately alert you and give you a link to change your password.
It can handle multiple passwords too if you have multiple google accounts.<p>[0] <a href="https://chrome.google.com/webstore/detail/password-alert/noondiphcddnnabmjcihcjfbhfklnnep" rel="nofollow">https://chrome.google.com/webstore/detail/password-alert/noo...</a>
As a side note, it looks like this couldn't have happened with an external mail reader like Thunderbird. Even when targeted to that and mocking some other UI element, clicking the link would open a browser window and reveal the fraud, at least to power users.<p>I'm not advocating against web-based mail readers, simply because it's not always possible or practical to use external ones. But it seems security is harder to implement because everything is "made of the same parts", i.e. a web-based mail displayed in a web-based application, opening links in the same (browser) window.
I'm surprised that with Google's image detection technology that Gmail doesn't do image recognition on images with links where the image look like popular document attachment, and send them to spam. Or perhaps they do but the phishers are able to evade it.
Once I almost fell for an extremely well made Paypal-phishing mail. It was late at night and I had just made a purchase via Paypal at a very small web shop. The timing was so perfect to catch me off guard that I am certain that site had been broken into to gather my email address.
My rule for gmail... I type gmail.com then log in. That's the only path I take to log in. I never click a link and log in, etc. really I do this for most sites I use.
I'd be really interested to see the increased success rate. Even if the most tech-savvy weren't fooled (I'm not so sure), I would be surprised not to see a vast increase from your average misspelled ecommerce phishing email. Shame those crooks don't practise open data.
That is very well done. I only see people suggesting 2-factor auth as a remedy, but I guess any password manager would work as well. You wouldn't even get to the point of compromising your password.<p>I use 1password, which will only fill in the password associated with the current domain.
I guess it's an aims race, but I would guess there are a few potential ways to mitigate against this:<p>1. Watermark all images on the in-email preview.
2. You should be able to design a mail scanner which would detect images that look too much like gmail elements and flag them.
The problem here is monopoly, or mono culture.<p>The whole world is, basically, using one email client. The lack of diversity means a well written scam like this spreads easily.<p>I can say for certain I'd never fall for this scam -- because it looks like crap in Pine. I know I'm special, but the same applies to Thunderbird, or whatever.<p>There's probably a parallel to biology here. Let's get diversity back in our internet culture and with it resistance; scams like this will be harder to convince and much less likely to spread. Hopefully removing some of the incentive, too.
> The problem doesn't get better until we destigmatize it.<p>Absolutely, it can happen to anyone. I'm sick of people here or on other forums who do some victim blaming, calling phishing victims "idiots". It's not going to solve the problem. And often Gmail or Chrome teams dismiss these kind of issues.<p>I had to revert to the html version of Gmail because I was sick of all the phishing attempts and disable images in the client.
As a security professional, I'm wired to loathe shortened links. This is a great example and exactly why I created a little hobby Chrome extension to expand all shortened links for inspection - <a href="https://unshorten.link" rel="nofollow">https://unshorten.link</a>
Almost fell for another clever one today: <a href="https://medium.com/@scardine/clever-phishing-scam-of-the-day-225ac70f0c21#.1em2rcyd2" rel="nofollow">https://medium.com/@scardine/clever-phishing-scam-of-the-day...</a>
I nearly fell for this attack if it weren't for my email address on the fake Google login not being autofilled. That made then look at the URL, and my ultrawide monitor revealed a cunning URL that had some white space padding to hide the real URL.
Always smiled at phishing scams but this scares the hell out of me, so I just headed to Google to setup 2-factor authentication.<p>How is your experience?<p>I understood that I can register specific machines not to use 2-factor, so if I loose my phone I still can login in. Anything else to consider?
I was about to ask why don't browsers prompt for confirmation when submitting a password on an unfamiliar domain, but then I realized the fake login page would just use a normal text field instead of a password field and fake the password dots.
I think it's time for Google to implement the personalized icon thing Banks have when logging in. I definitely classify my email to be near as important security wise as my banking information.
IMHO javascript should <i>never</i> have been allowed in the address bar or even inline in an href. The first time I learned about this feature of a browser, I was thinking 'security defect'.
This is a lesser-known benefit of password managers that autofill (or at least auto-look-up) passwords in web pages. I might fail to notice a wonky address bar, but 1Password will notice.
Why would you need to sign in if you're already in your gmail? Not to say there's anything obviously wrong, one could easily go there.<p>It does point out a major problem. Email used to be text only. Then we added attachments that needed to be saved as a file and read with whatever app. Then we went to automatically displaying attached images and having live HTML links. All of these things we do for convenience make this sort of attack more possible.
The closest I ever came was a Nigerian scam where a crown prince had been one of the first people on a space station in the 90s, but his return seat was taken up by cargo when they decommissioned the satellite, so they just left him in orbit.<p>After 15 years alone in space he was "in good spirits" but wanted to come home and would share his overtime flight pay of $15M with me.<p>Seriously where do they find these stories.
I actually did get phished by this. I think I just got lucky I had 2fa on and they didn't phish that too<p><a href="http://blog.greggman.com/blog/getting-phished/" rel="nofollow">http://blog.greggman.com/blog/getting-phished/</a><p>The worst thing is I don't know how to help my less technical friends not fall for it. They are unlikely to use 2fa I think
Hm, a give-away would be that the image would most likely not be interactive like it is now for me (Chromium). I.e. a PDF attachment footer "icon" renders the preview, and then action buttons when hovering the mouse over it. The buttons are then changed to darker colours with alt text when hovering over them again.<p>Or did they manage to embed the JS to simulate these actions with the attack?
Use 2-Factor Auth.
If you are a sysadmin make it required.
Block image downloads by default.
Turn on log in notifications for unknown devices.
If you are a sysadmin in a controlled network and serve content via proxy block bit.ly.
This is a clever and dangerous attack, but can still be avoided by following the above.
A reminder that U2F essentially prevents phishing attacks:<p><a href="http://security.stackexchange.com/questions/71316/how-secure-are-the-fido-u2f-tokens" rel="nofollow">http://security.stackexchange.com/questions/71316/how-secure...</a>
I've seen this before and nearly fell for it myself. If I didn't have auto fill for google account logins I would definitely fall for this. I noticed immediately when it made me type in my email and password and had no records of my other accounts.
Some further reading on the subject by lcamtuf (from 2011): <a href="https://lcamtuf.blogspot.com/2011/12/old-switcharoo.html" rel="nofollow">https://lcamtuf.blogspot.com/2011/12/old-switcharoo.html</a>
One of my users was hit by this recently. Another interesting tactic they used was a redirect to the fradulent login page. This way, as soon as it was reported as phishing to google, they just incremented a number in the URL and could continue harvesting.
The aim of EV certificates is to reduce such risks and highlight to the user the legitimacy of such websites.<p>HTTPS alone only provides encryption. Google doesn't use EV anywhere but I feel it should on login pages especially given it is a high phishing target.
how about use 3-step auth?<p>1. you input your username<p><pre><code> google send back an msg/pic which you saved in google at last login
confirm then goes to step 2
</code></pre>
2. you input password<p>3. google ask you input auth code
Correct me if I'm wrong, but that embedded image (pretending to be an attachment) redirects you to a (fake) Gmail login page. How is that supposed to trick anyone? I mean, isn't it unusual (i.e. never happens) for attachments to take you to a Gmail login page? So that's suspicious behaviour right there. How is it a serious phishing attack that's getting so much attention on a platform like HN where people are used to much more sophisticated hacks? Unless you're implying that visiting that website (fake login page) itself could harm the user's device, is there some detail that I'm missing here?
One of my clients got hit with this yesterday. Google suspended the account but only after a round of emails had gone out.<p>Seems like at this point the perps are just harvesting credentials.
This guy has an interesting YouTube channel<p><a href="https://www.youtube.com/user/enyay" rel="nofollow">https://www.youtube.com/user/enyay</a>
Serious question. Does having a chromebook anyway help? How often is the google safe browsing checked?<p>Wondering if I should do all internet activities inside chromebook only.
To save the click:<p>Follow<p>Tom Scott (@tomscott):<p>This is the closest I've ever come to falling for a Gmail phishing attack. If it hadn't been for my high-DPI screen making the image fuzzy…
<a href="https://pbs.twimg.com/media/C0W-dCCWQAAl0cn.jpg" rel="nofollow">https://pbs.twimg.com/media/C0W-dCCWQAAl0cn.jpg</a>
Luckily I always pay attention to the URL and I consider myself being pretty safe from all sorts of phishing attacks. There have been quite a few clever ones.