News

Blog

Wednesday, January 18th, 2017

Sophisticated Attack on Gmail Accounts.

A new type of attack on Gmail showed up that can fool even IT pros:

“This is the closest I’ve ever come to falling for a Gmail phishing attack. If it hadn’t been for my high-DPI screen making the image fuzzy…”
@tomscott

The phishing email

The attack begins like many of its type – with a phishing email and a malicious link. Nothing new here. Of course, the email is nicely crafted and the link is hidden under an image pretending to be a PDF attachment.

image from Twitter @tomscott

The nice part starts after. The attachment is actually a link that uses data URI.
The domain accounts.google.com looks ok in this URL and there is no warning sign of an improper SSL certificate:


TIP: Try to paste this in your browser and see how it works:

data:text/html,https://accounts.google.com/ServiceLogin

What is happening is that the content of this HTML “page” is actually loaded from the address bar.
So the malicious HTML with a keylogger script can be put in this URL.

Won’t such link look suspicious?

Well yes, it must contain a lot of HTML … But this is where another “hack” was made. Before the HTML part of this malicious URL starts, there is just enough “space” that the code is hidden after the end of the bar:

Since the malicious HTML code part is pushed to the right and disappears after the address bar ends, it’s not visible on small screen size (and the number of spaces can be just adjusted to match even highest resolution).

Try to click the link bellow:

Google Login

 

Although this particular attack is aimed at Gmail users, the technique with data URI is an universal solution. The same technique can be used for other websites (even your own web application can become a target):

Facebook Login

 

How to defend?

  • First, and most importantly, make sure there is a proper mark of encrypted SSL connection:
  • Secondly, use 2FA (Two-Factor authentication) wherever you can. It’s very easy to turn it on for various applications and it does give you that extra layer of security.
  • Don’t click any URLs that begin with data: – and if you did, close the browser ASAP
  • Last but not least, educate your employees / colleagues. Smarttech have partnered with Security Innovation to deliver the best security awareness training program that will keep your organisation safe and cyber-aware. We are now offering a FREE 7-day trial of the training program. Click here to learn more.

 

 

Contact Us

The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.

    Copyright Smarttech247 - 2021