- Viral video shows an egg getting a hot makeover Tuesday 7:56 PM
- New Netflix feature broadcasts what you’re watching via Instagram Tuesday 6:11 PM
- Videos show alleged Covington teens harassing women, making rape jokes at march Tuesday 4:13 PM
- MAGA teen gets ‘Today Show’ interview—and people are pissed Tuesday 3:38 PM
- Family says hacker sent fake North Korean missile warning through Nest camera Tuesday 2:42 PM
- This Arizona bill would tax internet porn to fund a border wall Tuesday 2:41 PM
- This meme is asking people how they draw the letter X Tuesday 1:18 PM
- Charlie Kirk’s love of U.S. healthcare system put to the test after back problems Tuesday 1:12 PM
- Fyre Fest caterer who was left broke has received $160,000 in donations Tuesday 12:58 PM
- The YouTuber who taught a dog to give the Nazi salute on command can’t find a job Tuesday 12:24 PM
- The ‘oh yeah yeah’ meme is flooding YouTube—and KSI can’t deal Tuesday 12:20 PM
- Did this d*ck-drawing Instagram star steal her gag from a rival runner? Tuesday 12:00 PM
- Rep. Steve King, best known for his racism, tweets a fake MLK quote Tuesday 11:54 AM
- Facebook is helping husbands ‘brainwash’ their wives with targeted ads Tuesday 11:35 AM
- Twitch streamer Pink_Sparkles responds to gamers who don’t think she belongs Tuesday 11:29 AM
The ‘highly effective’ phishing technique is even fooling experienced users.
Look closely before you download an attachment someone sends you on Gmail—even if it’s someone you know.
Security experts discovered a clever phishing scheme that fools users into clicking a fake image of an attachment that opens into a fake Gmail login page. Perhaps thinking Gmail logged them off by accident, users then re-enter their username and passwords—only for them to be quickly scooped up by hackers.
As security firm WordFence explains, the fake attachments phishing scheme gained popularity among hackers in 2016, and in the past few weeks, it has fooled even “experienced technical users.” What makes it such an effective con?
Second, the infected email could even come from someone you know and contain an attachment that seems like it could be from them.
Here’s how one commenter from Hacker News described it:
“The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.
“For example, they went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.”
The commenter added that the hackers used a bit.ly URL to hide the fake link’s address, a method identical to the one experts say Russian hackers used in hacks against the Democratic National Committee and Hillary Clinton campaign chairman John Podesta.
Also, the fake log-in page is a perfect clone of Gmail’s—even down to the user interface—as noted on Github.
Google says it is working on solutions to help better protect its users from this particular attack while stressing that it has other protections already in place.
“We’re aware of this issue and continue to strengthen our defenses against it,” a Google spokesperson told the Daily Dot in an email. “We help protect users from phishing attacks in a variety of ways, including: machine learning-based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.”
So how do you prevent becoming a victim of this nefarious phishing scheme? According to WordFence, the answer lies in the address bar.
In the phony Google login page, instead of “https” you have ‘data:text/html,’ followed by ‘https://accounts.google.com….’.
To avoid being scammed, always, always, always check the URL and host name of a site before you enter in your credentials.
Look for the magic green key:
“You should also take special note of the green color and lock symbol that appears on the left. If you can’t verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page.”
Update 4:44pm CT, Jan. 18: Added comment from Google.
Amrita Khalid is a technology and politics reporter who specializes in breaking down complex issues into practical, useful terms. A former contributor to CQ, a Congressional news and analysis site, she's currently a master's candidate in international relations at the University of Leeds.