Tuesday, January 17, 2017

Has YOUR Gmail account been hacked? A new phishing scam is so convincing it has even fooled tech experts: Here's what to look out for

  • A fake email is circulating which provides a link to a PDF file
  • If you click on the link, it takes you to a fake Gmail login page
  • Entering your credentials causes your account to be compromised
  • The attacker can then look through your sent messages folder and forward the email on from your account to your friends using your style of writing 
By Shivali Best For Mailonline
PUBLISHED: 09:46 EST, 17 January 2017 UPDATED: 14:02 EST, 17 January 2017
Gmail is the latest victim of a phishing scam that is even fooling experienced technical users. 
The scam is being described as one of the most convincing yet, and tricks users into giving their Google login details, allowing the attacker to sift through their messages.
Emails containing the rogue attachment can come from people in the recipient's own address book, and attacker can even copy their style of writing, convincingly passing the fake email on to the victim's contacts.
Gmail users are being warned of a phishing scam that tricks them into giving up their Google login details, before sifting through their sent messages folder for new victims to pass the email on to
Gmail users are being warned of a phishing scam that tricks them into giving up their Google login details, before sifting through their sent messages folder for new victims to pass the email on to

HOW IT WORKS 

Emails can appear to come from people in your address book.
The fake email uses image attachments that look like a PDF file.
When you click on the attachment, you are directed to phishing pages, disguised as the Google sign-in page.
If you enter your details, your Gmail account becomes compromised, allowing the attacker to sift through your sent messages folder and pass on the scam.
Even more worryingly, the phishing pages do not seem to trigger Google's HTTPS security warnings, which normally warn users if they land on an unsafe page.
The fake email uses image attachments that look like a PDF file.
When you click on the attachment, you are directed to phishing pages, disguised as the Google sign-in page.
If you enter your details, your Gmail account becomes compromised, allowing the attacker to sift through your sent messages folder and pass on the scam.
Even more worryingly, the phishing pages do not seem to trigger Google's HTTPS security warnings, which normally warn users if they land on an unsafe page.
The scam was discovered by Mark Maunder, CEO of Wordfence, the security service for WordPress.
Mr Maunder said that the scam was so convincing that it even fooled 'experienced technical users.'
commenter on Hacker News, an IT person who's school server suffered an attack described what happened once they signed in to the fake page:
'The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.
'For example, they went into one student's account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.'
The attackers signing into your account happens very quickly, experts warn. 
'It may be automated or they may have a team standing by to process accounts as they are compromised.
The fake email uses image attachments that look like a PDF file. When you click on the attachment, you are directed to phishing pages, disguised as the Google sign-in page (pictured)
The fake email uses image attachments that look like a PDF file. When you click on the attachment, you are directed to phishing pages, disguised as the Google sign-in page (pictured)
Writing on Wordfence, Mr Maunder said: 'Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot.
'Now that they control your email address, they could also compromise a wide variety of other services that you use by using the password reset mechanism including other email accounts, any SaaS services you use and much more.'
To avoid being a victim of the scam, Mr Maunder recommends enabling a two-factor authentication, and keeping a look out for the prefix 'data:text/html' in the brower location bar – a sign of a fake web page
To avoid being a victim of the scam, Mr Maunder recommends enabling a two-factor authentication, and keeping a look out for the prefix 'data:text/html' in the brower location bar – a sign of a fake web page
To avoid being a victim of the scam, Mr Maunder recommends enabling a two-factor authentication, and keeping a look out for the prefix 'data:text/html' in the browser location bar – a sign of a fake web page.
He said: 'Make sure there is nothing before the host name 'accounts.google.com' other than 'https://' and the lock symbol.
'You should also take special note of the green colour and lock symbol that appears on the left. If you can't verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page.' 

FIVE STEPS TO MORE SECURE ONLINE OPERATIONS 

Even using this checklist can't guarantee stopping every attack or preventing every breach. But following these steps will make it significantly harder for hackers to succeed. 
1) Enable two-factor authentication (2FA). Most major online services, from Amazon to Apple, today support 2FA.
When it's set up, the system asks for a login and password just like usual – but then sends a unique numeric code to another device, using text message, email or a specialized app.
Without access to that other device, the login is refused. That makes it much harder to hack into someone's account – but users have to enable it themselves.
2) Encrypt your internet traffic. A virtual private network (VPN) service encrypts digital communications, making it hard for hackers to intercept them.
Everyone should subscribe to a VPN service, some of which are free, and use it whenever connecting a device to a public or unknown Wi-Fi network.
3) Tighten up your password security. This is easier than it sounds, and the danger is real: Hackers often steal a login and password from one site and try to use it on others.
To make it simple to generate – and remember – long, strong and unique passwords, subscribe to a reputable password manager that suggests strong passwords and stores them in an encrypted file on your own computer.
4) Monitor your devices' behind-the-scenes activities. Many computer programs and mobile apps keep running even when they are not actively in use.
Most computers, phones and tablets have a built-in activity monitor that lets users see the device's memory use and network traffic in real time.
You can see which apps are sending and receiving internet data, for example. If you see something happening that shouldn't be, the activity monitor will also let you close the offending program completely.
5) Never open hyperlinks or attachments in any emails that are suspicious.
Even when they appear to come from a friend or coworker, use extreme caution – their email address might have been compromised by someone trying to attack you.
When in doubt, call the person or company directly to check first – and do so using an official number, never the phone number listed in the email.
- Arun Vishwanath, Associate Professor of Communication, University at Buffalo, State University of New York 



Read more: http://www.dailymail.co.uk/sciencetech/article-4127606/Gmail-latest-victim-phishing-scam.html#ixzz4W3JEA4nb
Follow us: @MailOnline on Twitter | DailyMail on Facebook
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)