Scammers are always coming up with more and more inventive ways to get your information. According to Satnam Narang, Senior Security Response Manager at Norton by Symantec, scammers are targeting Gmail users by sending emails from contacts who have already been hacked.
The email looks like it contains an attachment, but actually, it's an embedded image that once clicked, will send you to a page that looks like the standard Google sign-in page. And if you make the mistake of logging in there, the hacker will have your details.
This is the closest I've ever come to falling for a Gmail phishing attack. If it hadn't been for my high-DPI screen making the image fuzzy… pic.twitter.com/MizEWYksBh— Tom Scott (@tomscott) December 23, 2016
This is disturbingly clever. You get sent to a text/html data URI! Not testing any further but, blimey, talk about using power for evil. pic.twitter.com/TamVn7DBfW— Tom Scott (@tomscott) December 23, 2016
Narang warns that these scam emails are incredibly professional, and are designed to look much more realistic than your average phishing email.
And people are already falling for it. In one school district, a compromised account sent out what appeared to be a practice schedule, which compromised more accounts.
There is one thing you can do, though. "The best way to identify this attack is to look at the address bar. In this case, look for the words 'data:/text/html' at the beginning of the URL," Narang says. "If you see this, close the browser tab and alert your friend that their account has been compromised."
And if you enable two-step verification for your Gmail account, hackers won't be able to access your account even if you do fall for it.
In a statement about the attack, a Google spokesperson said:
“We're aware of this issue and continue to strengthen our defenses against it. We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.”