The new Swoogle or the swindling Google has been fooling Gmail customers into letting their login credentials slip. The scheme, which has been gaining popularity in the past few months and has reportedly been hitting other email services, involves a clever trick that can be difficult to detect.
Everything about this sign-in page looks authentic: the Google logo, the username and password entry fields, the tagline (“One account. All of Google.”). By all indications, the page is a facsimile of the real thing. Except for one clue: the browser’s address bar. Screenshot of the Google landing page:
Even there, it can be easy to miss the cue. The text still includes the “https://accounts.google.com,” a URL that seems legitimate. There’s a problem though; that URL is preceded by the prefix “data:text/html.”
Here’s how the swindle works. The attacker, usually disguised as a contact, sends the fiddling email to a prospective victim which contains a regular attachment, say a PDF document (as in Tom Scott’s case). Nothing out of the ordinary as such.
But the attachment is actually an embedded image that has been crafted to look like a PDF. Instead of revealing a preview of the document when clicked, that embedded image links out to a fake Google (GOOGL, +0.41%) login page. And this is where the scam gets really devious.
In fact, the text in the address bar is what’s known as a “data URI,” and not a URL. A data URI embeds a file, whereas a URL identifies a page’s location on the web. To find more about the scheme, click here. If you were to zoom out on the address bar, you would find a long string of characters, a script that serves up a file designed to look like a Gmail login page. This is the trap.
As soon as a person enters her username and password into the fields, the attackers capture the information. To make matters worse, once they gain access to a person’s inbox, they immediately reconnoiter the compromised account and prepare to launch their next bombardment. They find past emails and attachments, create boobytrapped-image versions, drum up believable subject lines, and then target the person’s contacts.
You might just shake it off your head knowing how you have armored phishing attacks whole life. Tom Scott was only one inch away. Think again! 😉
Have a good day.