This new Gmail phishing scam is tricking even tech-savvy users: Here's the trick to detecting it

The security researchers at WordFence a popular developer of security tools have spotted what they call is a "highly effective" phishing scam that has been fooling Google Gmail customers in revealing their login details. The scam has reportedly been gaining popularity about users of the email service and consists of simple trick that even the most trained eyes will find it hard to notice. Upon identifying this scam, WordFence has reported the same on their blog and warned of the attack.

How it works

The phishing scam is a very smart scheme indeed. The victim or the Gmail user will first receive an email from what the user perceives to be a trusted contact. Attached to the email is what appears to be a regular document in .pdf format. Suspicious users who have the habit of downloading the attachment will find something abnormal showing up in the next step.

Clicking on the document area usually gives users a preview of the document. Clicking on this link however, will take you to the sign in with Google page to access the document. Unsuspecting users will add their email ID and password and proceed.

Gmail Data URI

Image: WordFence

This sign in page is the second phase of the cleverly disguised scam. It actually takes users to what appears to be a genuine 'Sign in with Google' page. The unsuspecting user will add their credentials not knowing that those details are smartly sent across to a database.

How to detect it

A good clue here is the URL on the page. It reads "data.text/html.https..." in fact as the blog pointed out its says data URI and not a URL. A 'data URI' used in this scheme includes a complete file in the browser location bar.

When the user clicks what he/she thinks is a link to the document preview in the email, it actually opens up a file in a new tab (with carbon copy of the 'Sign in with Google page') just that this one is fake and sends your data to the attacker.

The second clue to detecting this phishing scam comes from a tweet shown below. It points out, that the only way to identify this is if you happen to have a high resolution monitor that would indicate that the link to the document preview is actually a fuzzy image (because it does not scale) that opens the file. If it was a genuine link, it would scale properly, but this again is only something a few users would notice and many would miss out on.

If you still curious, the blog points out that you can head to and check with your email on this trustworthy website.

How long has this scam been out there?

According to the detailed blog by WordFence CEO Mark Maunder, the scam has been reported over the past few weeks. What is a bit worrying that it has been reported not by the the common user, but technical or experience users who have complained about being hit by it. In fact, there is little even Google can do to prevent such attacks as the statement from Google pointed out:

We’re aware of this issue and continue to strengthen our defenses against it. We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.

How do you safeguard yourself from such attacks?

If you think you are victim, the best thing to do is change your password, this is provided the attacker has already not locked you out of your own account by doing the same from his end. You can head on to your account activity log to find out if someone else has signed into your account.  You can do this by opening your Gmail account and then on the bottom right, click on Details.

If you haven't been attacked, and suspect that you may have clicked on such a link in the past couple of weeks, then now would be a good time to change that password.

As Google points out, the best way to stay safe always, is to enable two step-authentication or verification for additional account protection.

With the user's email ID and password, the attacker can possibly do anything he likes with the credentials. So it indeed makes sense to change your Gmail password from time to time to stay safe.

Published Date: Jan 19, 2017 10:08 am | Updated Date: Jan 19, 2017 10:08 am