Google Account Security Checkup by Wesley Fryer via Flickr. Licensed under CC BY 2.0

While Google has set up a war room to investigate and put measures into place to prevent Gmail phishing schemes, ingenious phishers are still finding loopholes.

Cunning Gmail phishing scams even fool the experts

Social engineering

Used to great effect by phishers, emotional manipulation of potential victims using tried and tested social engineering techniques is difficult to thwart. Cybercriminals take advantage of victims’ fears, wariness of authority, and instinct to follow the rules. In one Gmail scheme, a user is messaged to enquire whether they requested a password reset for their account. If they did not, the message tells them to respond with “Stop.” As the email address is not theirs, the user usually responds by obediently replying “Stop.” They are then asked to confirm this by replying with a verification code. What has really happened is that the attackers have requested a password change for a victim’s account and are now trying to get a patsy to get a genuine verification code.

Dubious domains

Detected by WordFence, this scam targets potential victims with an email to their Gmail account, which includes an attachment or image that appears to come from someone they know. In fact, it may well come from a compromised contact. When the user clicks on the image or open the attachment, the Gmail sign in page opens in a new tab and they are asked to log in again. Doing this gives up the user’s username and password to the hackers. To detect this scam, make sure that the domain name has nothing before the hostname – which should read  ‘accounts.google.com’ – other than ‘https://’ and the green lock symbol. The “naughty” URL looks something like this: “data:text/html,https://accounts.google.com… .”

According to WordFence, even technical users have been fooled. The author of the blog post describing this scam, Mark Maunder, suggests that this attack is so effective because users do not notice the preceding text (bolded above): “In user interface design and in human perception, elements that are connected by uniform visual properties are perceived as being more related than elements that are not connected.” In this case, the entire URL is in black and white:

Ordinarily, Google highlights the “https” for a safe URL in green or in red for an insecure URL:

The dots do matter

James H Fisher unearthed an ingenious Gmail scam which is enabled by an obscure feature of Gmail called “the dots don’t matter.” This crafty scam nearly caused him to add his card details to someone else’s Netflix account. On receipt of an email supposedly from Netflix warning that his account was on hold, Fisher followed the link to update his payment details. Careful scrutiny showed that the card number displayed was incorrect.

“I finally realized that this email is to james.hfisher@gmail.com. I normally use Jameshfisher@gmail.com, with no dots. You might think this email should have bounced, but instead it reached my inbox, because “dots don’t matter in Gmail addresses.”

It could have been a genuine coincidence, considers Fisher, but more likely a scammer had taken advantage of this Gmail loophole in the hope that someone else would pay for his or her Netflix account. Says Fisher: “We teach people about ‘phishing’ due to emails from dodgy email addresses, but we don’t teach people anything about phishing due to emails to dodgy addresses. Nevertheless, the result is the same: the victim loses money to someone else.”

Google Drive

MailGuard was one of the first companies to spot a fake Gmail phishing email that leveraged Google’s online storage platform, Google Drive, in order to persuade victims into giving away their email username and password details. In this scam, an email originated from a real user who had already been compromised; the signature of the user was genuine – including name, job  title and telephone number – and the user could be traced, e.g. to a real LinkedIn profile.

The email invited the recipient (usually a friend, colleague, or family of the compromised victim) to open a file which had been shared using Google Drive. When the recipient clicked on the file, they were taken to a landing page that invited them to sign in via a number of different email providers using their email username and password details. These details were then captured by the scammers and the recipient was presented with, quite literally and most confusingly, a blank page.

Lotto scam

In this scam, the victim receives an email claiming they have won a Google Lottery. The initial email is sent in an attempt to initiate a dialogue with potential victims by requesting they contact a claims agent directly to file their claim. In further correspondence they will be asked for personal details, or to pay a fee to release the funds. Google does not operate lotteries so mark this email as Spam and do not forward any personal information.

Google Hangouts

This type of scam operates by notifying potential victims they have been given a job with Google or another company. However, the potential victim needs to pay a training fee (or some other type of fee.) Naturally, the victim is asked to complete employment forms providing confidential identifying information. The victim may also be strung along in bogus interviews through Google Hangouts.

Tips from Google

When you get a suspicious Gmail email, Google has the following advice:

  • Check that the email address and the sender name match.
  • Check if the email is authenticated.
  • Hover over any links before you click on them. If the URL of the link does not match the description of the link, it might be leading you to a phishing site.
  • Check the message headers to make sure the “from” header is not showing an incorrect name.

Remember, Google or Gmail will never ask you for personal information like: social security numbers, passwords, bank details, your mother’s maiden name, or your birthday.

Where to next?

Have any of your accounts been compromised? You can find out on Have I Been Pwned.

Learn how to detect and prevent phishing attacks with realistic anti-phishing simulations from Infosec institute’s PhishSim™ application. It is also a fun way to get buy-in to security awareness from team members at work.