Greetings,
I make no apologies for this, though this is a group dealing with android,
this may prove not to be far off-topic, I believe this to be far too
important to miss out.
I am pasting this in from the AccessUK group in it's entirity including
replies as it is verry very nasty indeed and you should all be well aware,
especially those of you using Gmail and googlemail accounts.
!To: access-uk@xxxxxxxxxxxxx
Subject: [access-uk] Watch out for this email phishing attack
From: Mobeen Iqbal <mobeeniqbal@xxxxxxxxx>
Date: Fri, 13 Jan 2017 08:16:12 +0000
Here you go.
Wide Impact: Highly Effective Gmail Phishing Technique Being Exploited
This entry was posted in General Security, Miscellaneous on January 12,
2017 by Mark Maunder 62 Replies
As you know, at Wordfence we occasionally send out alerts about security
issues outside of the WordPress universe that are urgent and have a wide
impact on our customers and readers. Unfortunately this is one of those
alerts. There is a highly effective phishing technique stealing login
credentials that is having a wide impact, even on experienced technical
users.
I have written this post to be as easy to read and understand as
possible. I deliberately left out technical details and focused on what
you need to know to protect yourself against this phishing attack and
other attacks like it in the hope of getting the word out, particularly
among less technical users. Please share this once you have read it to
help create awareness and protect the community.
The Phishing Attack: What you need to know
A new highly effective phishing technique targeting Gmail and other
services has been gaining popularity during the past year among
attackers. Over the past few weeks there have been reports of
experienced technical users being hit by this.
This attack is currently being used to target Gmail customers and is
also targeting other services.
The way the attack works is that an attacker will send an email to your
Gmail account. That email may come from someone you know who has had
their account hacked using this technique. It may also include something
that looks like an image of an attachment you recognize from the sender.
You click on the image, expecting Gmail to give you a preview of the
attachment. Instead, a new tab opens up and you are prompted by Gmail to
sign in again. You glance at the location bar and you see
accounts.google.com in there. It looks like this
.
You go ahead and sign in on a fully functional sign-in page that looks
like this:
GMail data URI phishing sign-in page
Once you complete sign-in, your account has been compromised. A
commenter on Hacker News describes in clear terms what they experienced
over the holiday break once they signed in to the fake page:
The attackers log in to your account immediately once they get the
credentials, and they use one of your actual attachments, along with one
of your actual subject lines, and send it to people in your contact list.
For example, they went into one students account, pulled an attachment
with an athletic team practice schedule, generated the screenshot, and
then paired that with a subject line that was tangentially related, and
emailed it to the other members of the athletic team.
The attackers signing into your account happens very quickly. It may be
automated or they may have a team standing by to process accounts as
they are compromised.
Once they have access to your account, the attacker also has full access
to all your emails including sent and received at this point and may
download the whole lot.
Now that they control your email address, they could also compromise a
wide variety of other services that you use by using the password reset
mechanism including other email accounts, any SaaS services you use and
much more.
What I have described above is a phishing attack that is used to steal
usernames and passwords on Gmail. It is being used right now with a high
success rate. However, this technique can be used to steal credentials
from many other platforms with many variations in the basic technique.
How to protect yourself against this phishing attack
You have always been told: Check the location bar in your browser to
make sure you are on the correct website before signing in. That will
avoid phishing attacks that steal your username and password.
In the attack above, you did exactly that and saw accounts.google.com
in the location bar, so you went ahead and signed in.
To protect yourself against this you need to change what you are
checking in the location bar.
This phishing technique uses something called a data URI to include a
complete file in the browser location bar. When you glance up at the
browser location bar and see data:text/html
.. that is actually a very
long string of text. If you widen out the location bar it looks like this:
GMail phishing data uri showing script
There is a lot of whitespace which I have removed. But on the far right
you can see the beginning of what is a very large chunk of text. This is
actually a file that opens in a new tab and creates a completely
functional fake Gmail login page which sends your credentials to the
attacker.
As you can see on the far left of the browser location bar, instead of
https you have data:text/html, followed by the usual
https://accounts.google.com
.. If you arent paying close attention ;
you will ignore the data:text/html preamble and assume the URL is safe.
You are probably thinking youre too smart to fall for this. It turns
out that this attack has caught, or almost caught several technical
users who have either tweeted, blogged or commented about it. There is
a specific reason why this is so effective that has to do with human
perception. I describe that in the next section.
How to protect yourself
When you sign in to any service, check the browser location bar and
verify the protocol, then verify the hostname. It should look like this
in Chrome when signing into Gmail or Google:
Gmail phishing secure URI example
Make sure there is nothing before the hostname accounts.google.com
other than https:// and the lock symbol. You should also take special ;
note of the green color and lock symbol that appears on the left. If you
cant verify the protocol and verify the hostname, stop and consider
what you just clicked on to get to that sign-in page.
Enable two factor authentication if it is available on every service
that you use. GMail calls this 2- step verification and you can find
out how to enable it on this page.
Enabling two factor authentication makes it much more difficult for an
attacker to sign into a service that you use, even if they manage to
steal your password using this technique. I would like to note that
there is some discussion that indicates even two factor authentication
may not protect against this attack. However I have not seen a proof of
concept, so I can not confirm this.
Why Google wont fix this and what they should do
Googles response to a customer asking about this was as follows:
The address bar remains one of the few trusted UI components of the
browsers and is the only one that can be relied upon as to what origin
are the users currently visiting. If the users pay no attention to the
address bar, phishing and spoofing attack are obviously trivial.
Unfortunately thats how the web works, and any fix that would to try to
e.g. detect phishing pages based on their look would be easily
bypassable in hundreds of ways. The data: URL part here is not that
important as you could have a phishing on any http[s] page just as well.
This is likely a junior person within the organization based on the
grammatical errors. I disagree with this response for a few reasons:
Google have modified the behavior of the address bar in the past to show
a green protocol color when a page is using HTTPS and a lock icon to
indicate it is secure.
Gmail phishing secure URI example
They also use a different way of displaying the protocol when a page is
insecure, marking it red with a line through it:
During this attack, a user sees neither green nor red. They see ordinary
black text:
That is why this attack is so effective. In user interface design and in
human perception, elements that are connected by uniform visual
properties are perceived as being more related than elements that are
not connected. [Read more: Gestalt principles of human perception and
uniform connectedness and Content Blindspots]
In this case the data:text/html and the trusted hostname are the
same color. That suggests to our perception that theyre related and the
data:text/html part either doesnt matter or can be trusted.
What Google needs to do in this case is change the way data:text/html
is displayed in the browser. There may be scenarios where this is safe,
so they could use an amber color with a unique icon. That would alert
our perception to a difference and we would examine it more closely.
Update: How to check if your account is already compromised
Ive had two requests in the comments about this so Im adding this
section now. (at 9:39am Pacific time, 12:39am EST).
There is no sure way to check if your account has been compromised. If
in doubt, change your password immediately. Changing your password every
few months is good practice in general.
If you use GMail, you can check your login activity to find out of
someone else is signing into your account. Visit
https://support.google.com/mail/answer/45938?hl=en for info. To use this ;
feature, scroll to the bottom of your inbox and click Details (very
small in the far lower right hand corner of the screen). This will show
you all currently active sessions as well as your recent login history.
If you see active logins from unknown sources, you can force close them.
If you see any logins in your history from places you dont know, you
may have been hacked. [Thanks Ken, I pasted your comment in here almost
verbatim. Very helpful.]
There is a trustworthy site run by Troy Hunt who is a well known
security researcher where you can check if any of your email accounts
have been part of a data leak. Troys site is
https://haveibeenpwned.com/ and it is well known in security circles. ;
Simply enter your email address and hit the button.
Troy aggregates data leaks into a database and gives you a way to look
up your own email in that database to see if you have been part of a
data breach. He also does a good job of actually verifying the data
breaches he is sent.
Spread the word
Ill be sharing this on Facebook to create awareness among my own family
and friends. This attack is incredibly effective at fooling even
technical users for the reasons I have explained above. I have the sense
that most ordinary users will be easy pickings. Please share this with
the community to help create awareness and prevent this from having a
wider impact.
Mark Maunder Wordfence Founder/CEO.
On 13/01/2017 08:12, Les Smithson wrote:
If this is genuine then perhaps the OP could paste the content of the
web site?
John Gurd writes:
> Hi Mo
>
> I didn't click on the link as I'm checking to make sure this email
> isgenuine. Do you know tinyurl.com is itself used in hack attacks? Did you
> really send this or have you got a virus doing it?
>
>
>
> John
>
>
>
>
>
> From: access-uk@xxxxxxxxxxxxx [mailto:access-uk@xxxxxxxxxxxxx] On Behalf ;
Of
> Mobeen Iqbal
> Sent: 13 January 2017 07:12
> To: BCAB Discussion List
> Subject: [access-uk] Watch out for this email phishing attack
>
>
>
> Hello everyone.
> I would urge everyone to watch out for this very devious email trick that
> hackers are pulling. The following link contains all the details.
> http://tinyurl.com/h2vsypv
> Cheers,
> Mo.
>