Mohammad I. Shawabkeh – A new sophisticated phishing campaign that is able to deceive not only regular Joe but also tech-savvy people by use of a specially designed URLs to trick users into entering their Gmail credentials in.

The new phishing technique revolves around crafting convincing emails by analyzing and mimicking past messages and attachments. The attack was first discovered by Mark Maunder, the CEO of WordPress security plugin Wordfence, who noticed that the hacker sends an email appearing to contain a PDF with a familiar file name.

The malicious message is sent from one of the victim’s contacts and pretend to carry a PDF document that can be previewed directly from Gmail. When the victim clicks on the “attachment” image included in the body of the message it is redirected to a Gmail phishing page that looks pretty much identical to a Gmail sign-in page.

Unfortunately, the attack’s imitation of the Gmail sign-in page is so convincing that many users will automatically enter their login details, simultaneously surrendering them to the hackers, who can proceed to steal your data and use one of your past messages to compromise another round of Gmail users.

Worse yet, the web browser does not display any certificate warning, experts noticed that the apparently legitimate part of the URL is followed by white spaces, which prevent the victims from seeing suspicious strings and an obfuscated script that opens a Gmail phishing page in a new tab. Look at this screenshot (credit: Tom Scott):

“The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.” – a security experts cited in a hacking forum.

Impressive as the attack is, there are ways to protect yourself.

The most obvious giveaway is that the legitimate Gmail sign-in page’s URL begins with a lock symbol and ‘https://’ highlighted in green, not ‘data:text/html,https://’. However, if you hit the address bar, you’ll also see that the fake page’s URL is actually incredibly long, with a white space sneakily hiding the majority of the text from view. Also, enable two-factor authentication (2FA) on Gmail in order to avoid being victims of this powerful phishing scheme.


About The Author

Mohammad I. Shawabkeh
Management Information Systems Directorate
Royal Hashemite Court