You might think you're tech-savvy enough to spot a fake email from a scammer pretending to be PayPal or eBay, but what about one coming from a familiar contact? And what if the message attached read just like something sent from a real person? That's exactly what a new email phishing scam is doing to unassuming Gmail users, according to Boing Boing.
The attack, which was initially reported by Wordfence, comes in the form of an email from a user who has already been compromised by this scheme. The email will come from a familiar address in your contacts, complete with an attachment (an image or link) to click on. Some of these emails are even designed to look like replies to previous emails to your contacts, making it even harder to spot the scam right away.
Once you click on this attachment, you'll be sent right back to your Gmail sign-in screen. This could all sound suspicious already, except for the fact that in the URL for the sign-in screen, you'll see "accounts.google.com." It won't be the real Google sign-in screen (there is other extraneous URL text that confirms that) but if you're in a rush, or just unfamiliar with what it should read, it's easy to assume you just have to re-input your login info. And that's where they get you.
After that login information is entered, the hackers will now have your information, and they are ready to do the whole thing over again to one of your contacts. Wordfence has an account of how this all works:
“The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list. For example, they went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.”
Twitter user Tom Scott posted a screenshot of what to look out for if you're ever mysteriously propositioned to log back into your Google account for no apparent reason after clicking on an attachment:
In the URL, you can see "data:text/html….." at the front, which shouldn't be there. And if you scroll (a lot) past the text in the address bar, eventually you'll come across even more funky code. At that point, get out of dodge and change your login info for good measure.