Strategy_Doc.PDF from the next cubicle is actually a portal to p0wnage
An newly-detected Gmail phishing attack sees criminals hack and then rifle through inboxes to target account owners’ contacts with thoroughly convincing fake emails.
The new attack uses the file names of sent attachments and applies that name into new attachments that appear to be PDFs but are actually images that, when clicked, send victims to phishing pages.

Suitable subject lines stolen from sent emails are applied to the new phishing emails, making the mischievous messages more legitimate.
Even the URL to which the attachments point is crafted to appear legitimate, bearing the domain, says WordFence chief executive officer Mark Maunder who reported the attacks.
“You are probably thinking you’re too smart to fall for this: It turns out that this attack has caught, or almost caught several technical users who have either tweeted, blogged or commented about it,” Maunder says.
“It is being used right now with a high success rate … this technique can be used to steal credentials from many other platforms with many variations in the basic technique.”
The phishing landing page.
Image: WordFence.

Users who fall for the attacks can be saved by two factor authentication.
One user claiming to be a system administrator at a school says the attacks compromised students and three staff within two hours, using an athletic schedule paired with a subject line to pull off the attacks.

This is the closest I’ve ever come to falling for a Gmail phishing attack.
If it hadn’t been for my high-DPI screen making the image fuzzy…
— Tom Scott (@tomscott) December 23, 2016
Attackers use the data URI scheme to embed a file in the browser location bar which executes once their malicious attachment is clicked, displaying the fake Google login page and address.
Keen eyed users may spot the URL prefix data:text/html or the lower resolution Google image in the phishing page.
Brilliant phishing attack probes sent mail, sends fake attachments
White space separates and hides the URL from the file text which invokes the phishing page in a new browser tab.
Maunder says the phishing attacks do not trigger Google’s green or red secure and insecure HTTPS security indicators, giving it an appearance of uniformity that makes the attacks highly effective.
“In user interface design and in human perception, elements that are connected by uniform visual properties are perceived as being more related than elements that are not connected,” he says.
He recommends Google change the colour of the data:text/html prefix to amber which would grab user’s attention. ®
Sponsored: Customer Identity and Access Management

Leave a Reply