This new Gmail phishing scam is tricking lots of people into handing over their passwords

Rob Waugh
·Contributor
Gmail's new iOS app
Gmail's new iOS app

A new phishing attack targeting Gmail users has been described as one of the ‘most sophisticated’ attacks ever seen – and has fooled experts.

The attack fools users into clicking on a fake attachment, then brings up a convincing-looking window which requires the user to re-enter their Gmail password.

What makes it different is how it arrives – in the form of a real attachment sent from one of the user’s friends, with a convincing subject line.

MORE: Fraudster who posed as multi-millionaire to scam thousands of pounds and impress girlfriend faces jail

MORE: Woman kept awake by loud neighbour receives grovelling apology letter and a box of chocolates

WordPress security plug-in creator Wordfence revealed details of the attack in a blog post this week.

What the hackers do is break into someone’s email account, generate screenshots of attachments they’ve already sent, then send them to other people on their contact list.

If people open the attachment, it directs them to a highly convincing login page for Google – with what looks like a real URL.

Mark Maunder of Wordfence says, ‘You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again. You glance at the location bar and you see accounts.google.com in there.’

If you click, your account is compromised – and the hackers will use your account to attack friends.

The attackers potentially also have access to any information stored in your Gmail account – potentially offering the scope for identity theft attacks.

One commenter on Hacker News wrote, ‘It’s the most sophisticated attack I’ve seen. The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.’

A new phishing technique is fooling internet users into giving hackers access to their Gmail accounts. According to WordPress security plugin creator Wordfence, the way that the attack works is that hackers send emails to the contacts of compromised accounts containing a seemingly innocuous attachment. When the user clicks the attachment, a new tab opens in the browser that looks nearly identical to the Google sign-in page. If the user inputs their log-in information, it goes straight to the attacker.

  • Up next
  • Up next
  • Up next
  • Up next

Latest stories