An insidious new Gmail phishing attack is tricking even the most careful of users

Will Truman

Will Truman is the Editor-in-Chief of Ordinary Times. He is also on Twitter.

Related Post Roulette

20 Responses

  1. dragonfrog says:

    That really is very clever. And I don’t know how you would defend against it. Even setting up two-factor authentication wouldn’t help you outrun the bear, just to outrun the other guy. If these attackers haven’t implemented 2FA stealing, it’s only because it’s not worth the effort, as they get enough victims without bothering.Report

  2. Damon says:

    If this happened to me, you’d get a bunch of spam email from the washington post, and emails from sexy russian “ladies” who love me and just need a little bit of money to come to american and fulfill all my dreams.Report

  3. DensityDuck says:

    “When the user clicks the attachment, a new tab opens in the browser that looks nearly identical to the Google sign-in page. ”

    I think we’re getting to a point where part of the “user account setup” needs to be a “basic Internet skills” slideshow, including things like “here’s some common methods people use to steal your stuff”Report

    • Will H. in reply to DensityDuck says:

      I would expect to see required anti-theft literature tacked to every car sold before that happens.Report

    • Kazzy in reply to DensityDuck says:

      Is that an unreasonable thing? The internet is still fairly new with a massive gap between experienced and novice users that is easily exploited.

      Maybe “Don’t open a link” will become conventional wisdom but it obviously isn’t yet.Report

      • DensityDuck in reply to Kazzy says:

        It isn’t, actually. It is definitely the case that the internet is still heavily biased towards people who already know how to use it.Report

      • dragonfrog in reply to Kazzy says:

        It shouldn’t have to be conventional wisdom though – the whole point of the internet is to communicate information. The hyperlink is the basic thing that makes the web what it is. We’re in a sad place if “Don’t use the internet for what it’s for” becomes conventional wisdom.

        I would bet at 2:1 odds that I wouldn’t fall for this. I would have to think hard about 10:1 odds, and wouldn’t take 20:1. And I have worked for over a decade in IT security.

        I wouldn’t take 2:1 odds that an average employee at my organization, someone who uses computers daily and proficiently, wouldn’t fall for it. I think training users not to use the internet for what it’s for isn’t the answer. I mean, we do that here, because it’s kind of what you have to do nowadays. But that’s because of our failure, as an industry, to do better by our users.Report

        • DensityDuck in reply to dragonfrog says:

          It’s the same deal with any confidence scam, though. It’s not so much “don’t use the Internet for the thing it is for” as it is “there are ways that people can trick you, these are some of them”.

          I put it in the same category as “when someone calls and says they’re from the IRS and if you don’t send $5000 via Western Union they will have you arrested, that’s a scam, don’t do it”.Report

          • dragonfrog in reply to DensityDuck says:

            That’s different though.

            When you get an email from someone you know, that’s in the context of an email exchange you are currently having with them, with an attachment that looks exactly like an attachment they sent you recently – you don’t get suspicious.

            This isn’t even remotely in the same league as someone cold-calling you from “the IRS” and demanding $5000 via Western Union or Apple gift cards or whatever.Report

  4. fillyjonk says:

    We’ve had people on my campus (professors) regularly fall for what I think of as pretty basic phishing scams (“Your e-mail box is almost full! Enter your username and password here to delete unneeded messages!”)

    We’ve also apparently had a case of someone falling for the Cryptolocker scam; I heard they had to have their hard drive totally wiped.

    I don’t know if that means that ‘highly educated’ people sometimes don’t have common sense, or if they trust too much, or what. I’m a pretty suspicious wench and thus far I’ve managed to stay safe, though once or twice I got e-mails that were “for real” and I deleted them thinking they were scams.

    (Also, I keep all my really important files in a couple different places, so having to have my hard drive wiped would represent considerably less loss of work to me than it would to someone else)

    I just as a matter of policy don’t open any attachments I have not specifically asked for and I don’t respond to e-mails with “weird” From: addresses. (Someplace in Czechoslovakia is not going to be monitoring the “fullness” of my inbox)

    That said, I’m not sure a moment of inattention might not allow me to fall for the new Google scam.Report

    • Marchmaine in reply to fillyjonk says:

      once or twice I got e-mails that were “for real” and I deleted them thinking they were scams.

      This is exactly how I taught my parents not to send naked links or attachments to me or anyone else they know.

      They: Did you get that thing I sent.
      We: Nope… I deleted about 5 emails from you that looked like spam/phishing attempts though.Report

      • Morat20 in reply to Marchmaine says:

        I’ve reported some sketchy ones directly to our own IT teams that actually legitimately originated with them.

        As in they were legit emails, not phishing attempts or compromised IT systems.

        I sometimes wonder if they send out the occasionally weirdly worded email deliberately to see who stops and goes “Wait, that doesn’t look right” and who doesn’t.Report

        • Marchmaine in reply to Morat20 says:

          Heh, I actually got flagged at work for not taking a security training class on phishing.

          My defense? It was an email sent from an unknown source for a class I wasn’t told I needed to take asking me to click a link and log-in with my corporate user name and password.

          Instead of sending me an amazon gift card, exempting me from this and all future CYA security training, and putting my picture (or Rex’s picture) on a bulletin board somewhere, they just told me to click the link and log in. So, I know how John Podesta feels.Report

        • Kim in reply to Morat20 says:

          Ours does actual fishing traps. Not stuff like that.Report

  5. Kim says:

    *Yawn* incompetents. Going after the smart people is the wrong move.
    You attract too much attention that way.Report

  6. fillyjonk says:

    And apparently a version has hit here: e-mails going around (on the campus mail platform, not Gmail, but still) claiming you have a meeting with someone and asking for your login information if you click the link.

    Again, I guess it’s good to be a suspicious wench. (“Hey, I don’t have a meeting scheduled with that person, something’s wrong”)Report

  7. Brandon Berg says:

    On a possibly related note, I’ve gotten two emails like this in the last week:

    Howdy Brandon

    Jeanie [redacted] from Susquehanna
    Long time! text
    my number
    7 eight five three zero five 5 four seven eight

    Number changed as well, but it had the weird mix of numerals and words. The first time I was inclined to think it was just someone who had the wrong email address, but then I got the other one, again with the strange way of writing the number. Both say they’re from Susquehanna; not sure if that’s a city, company, school, or what.

    Is this a thing now? I’ve never seen spam that only gives a phone number.Report

    • Kim in reply to Brandon Berg says:

      No typos? Poor shot.Report

    • May be an old thing. Note the area code is not an 8XX number. I no longer keep track of the phone billing scams, but at one point the owner of a number could set it up as a class of service so that the originating end of all incoming calls were billed a specific amount. The original purpose was for things like per-call technical assistance and got around the need for the caller to have a credit card. For a while it was a common scam in NYC to have someone in appropriate attire show up at small businesses with two dozen roses for “Mary Ellen Smith”. If there was no Mary Ellen Smith, they would ask to use the phone to talk to their boss. “It’s a local call, here, you can dial it for me.” Service tariffs like that tend to hang on for years/decades after their purpose has disappeared just because it’s a hassle for the phone company to go through the state-level procedures.Report

    • Marchmaine in reply to Brandon Berg says:

      It’s a river… possibly this was your very own watery tart offering swords and supreme power.

      I didn’t watch the inauguration today, is this how we did it this time?

      Next time, text. This is how you get Trump.Report