The New Email Scam That's Even Fooling the Experts

January 18th 2017

Mike Rothschild

Gmail is one of the most popular free email providers on the internet, and has the technical expertise of Google ensuring it remains safe and secure.

Even so, Gmail is the target of a complex new phishing scam that's stealing passwords from seasoned information security professionals and casual users alike.

According to a detailed post on the security blog WordFence, the scam works like this:

"[A]n attacker will send an email to your Gmail account. That email may come from someone you know who has [also] had their account hacked using this technique. It may also include something that looks like an image of an attachment you recognize from the sender.

You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again."

But that second page is part of the scam, and once you log in, you're compromised. Hackers will immediately have access to your Gmail account and everything in it.

What makes the scam so tricky is that both the phishing email and second page look completely legitimate. The usual way to check if a link is a scam — checking the address — is complicated by the fact the address bar actually has a link to Google in it.

But the link is actually an executable file called a "data URI," and not a link to Gmail.

Gmail Phishing Scam

The key to knowing whether the new tab you're looking at is part of the scam is the "data:text/html" bit at the start of the address bar. That's the beginning of an executable file and shouldn't be part of any internet link.

As WordFence puts it:

"Make sure there is nothing before the hostname ‘accounts.google.com’ other than ‘https://’ and the lock symbol. You should also take special note of the green color and lock symbol that appears on the left. If you can’t verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page."

Gmail Phishing Scam

While Google already uses green and red to denote when pages are secure and insecure, the phishing attack text is in the same color as the rest of the address bar, making it blend in and less noticeable. Google reps indicated to WordFence that they're working on a fix for data URI scams, which might involve some kind of colored text in the address bar indicating an executable file.

Until then, security experts agree that the way to avoid this scam is to carefully watch the address bar of any email you get and enable two-step identification. And if your account is compromised? Change your password immediately.