A phishing scam that’s so convincing it even fooled experienced technical users is going around on Gmail, trying to get a hold of your login details.

Image credits Gerd Altmann / Pixabay.

It looks like a genuine email one of your friends sent you. There’s even an attachment — something important that he or she is sending you. When you try to download it, you’re taken to a page requesting your log-in credentials. Huh. Must be those wacky Google geeks, always working hard to improve security. You log in.

Congratulations my friend, you’ve just hacked yourself.

How to spot it

The scam is one of the most convincing ever made, and works to trick users into giving up their user credentials, thus allowing the attacker full access to their inbox. It all starts with one email containing a rogue PDF attachment. This message will come from people in your own address book and it’s extremely convincing, even copying their style of writing and to a certain extent, personal touches such as commonly used idioms or smiley faces.

Once you click on the attachment, you will be redirected to a phishing page that looks like the Google sign-in. The scam doesn’t seem to trigger Google’s HTTPS security warnings which usually tell you you’ve reach a shady page. Immediately after you log in, the attackers access your account and use one of your own attachments and subject lines to form a malicious email that is sent to your entire contact list.

A HackerNews user reported on the scam:

“They went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.”

“It may be automated or they may have a team standing by to process accounts as they are compromised.”

Thankfully, Mark Maunder of Wordfence, the company that provides security services for WordPress, discovered the scam.

“Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot,” he wrote on Wordfence.

“Now that they control your email address, they could also compromise a wide variety of other services that you use by using the password reset mechanism including other email accounts, any SaaS services you use and much more.”

How not to be phished

Maunder recommends enabling two-factor authentication for your account so no one else can access it even if your credentials are compromised. He also says you should keep an eye out for “data:text/html” in the browser location bar, as it’s a clear sign of a fake page.

“You should also take special note of the green colour and lock symbol that appears on the left. If you can’t verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page.”