Heads up, Gmail users: a new phishing attack is making the rounds and it's fooling even technically-savvy, security-conscious users.
The ruse aims to steal usernames and passwords for Gmail and other services, and "is being used right now with a high success rate," according to Mark Maunder, CEO of WordPress security plugin Wordfence, who described the campaign in detail. Like other phishing attacks, this one starts with an email. Instead of a random person, the email may appear to have been sent by someone you know, and it may include an image of an attachment you recognize from the sender.
"You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again. You glance at the location bar and you see accounts.google.com in there," Maunder wrote.
Once you sign in, the attackers have full access to your account.
Google did not immediately respond to PCMag's request for comment, but told Maunder it is aware of the issue and is working to improve its defenses against it.
"We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection," Aaron Stein from Google Communications told Maunder.
Once the attacker gains access to your account, they immediately log in and find one of your actual attachments, plus one of your actual subject lines, and send it to people on your contact list to further the scam and compromise more accounts. Maunder said the attackers have either automated the scheme, or they have "a team standing by to process accounts as they are compromised."
"Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot," he warned. "Now that they control your email address, they could also compromise a wide variety of other services that you use by using the password reset mechanism."
Maunder said some have said the attack can even bypass two-factor authentication, though he has not been able to confirm this claim. As Google notes in its statement, it's still a good idea to have two-factor authentication enabled, as it makes your account much harder to crack. Click here for information on how to do that.
To protect yourself against this attack, Maunder said you will need to pay close attention to your browser's location bar when you're signing into Gmail. The location bar should read "https://accounts.google.com…." and if you see this and only this, you should be good to go. In this attack, the address in the location bar will include "data:text/html," before the usual "https://accounts.google.com….".
Maunder noted that "there is no sure way to check if your account has been compromised" by this attack. If you think you might have fallen victim, change your password right away. In Gmail, you can check your login activity to see if someone else has logged into your account: Visit this link and click "Details" at the bottom of your inbox.