Why do we get SPAM? Simply put, it works. Since 2009, the amount of SPAM that is responded to ranges around 12% which may not sound that high. However if you are sending out tens of thousands of SPAM to people (and not getting caught doing so) the returns are pretty impressive. It is up to users to try and keep Blacklists up to date and make sure SPAM is directed to the Junk folder as quickly as it arrives. Mail providers are trying to keep up, and try as they might, digital scam artists—because it really it artful how some people turn the Internet against us—come up with clever ways of getting users to give up sensitive information online, essentially handing the keys of their digital castle to cybercriminals. Currently, such a scam has security researchers keeping tabs on a “highly effective” and incredibly sophisticated phishing scam that’s been fooling Gmail users and getting to them divulge their login credentials.
When I say this particular online scam is sophisticated, I assure you this is far more sophisticated than when John Podesta used “PASSWORD” as his password in order to stump would-be hackers.
Researchers at WordFence warned of this attack against Gmail in a recent blog post, noting it has been having a wide impact, even on experienced users. How it works would be considered clever if it weren’t such a detriment for your own personal security. The attacker, usually disguised as a trusted contact, sends you an email from somebody who you know is on your mailing list. Attached to this email is some kind of document, a PDF or JPG image for example. Nothing too much out of the ordinary, except that the attachment is boobytrapped. The attachment is actually an embedded image that has been crafted to look like a PDF; so rather than reveal a preview of the document when clicked, the embedded image works as a link to what appears to be a Google login page.
This portal looks perfectly authentic: you have the Google logo, the username and password entry fields. Everything looks perfect.
If you are not expecting to be taken to a login page, though, you should take a close look at the top of your browser where the URL would normally be. The URL, in this particular scenario, is not entirely correct, nor is it a verified Google URL. The address you see there is preceded by “data:text/html.” That innocuous tag is your key clue that the URL is not correct. It will look like a proper URL from Google, but that “data:text/html” is your first warning flag.
As soon as a person enters their username and password into this bogus URL page, cybercriminals steal it. They can now log into your account, get all of your usernames and passwords, get all of your contacts, read your email, and craft any email based on your email that would look legitimate.
This scam works because people think they are getting an email from a friend.
So when you are on Gmail, have a care. If you expect to open a document, and sudden;y you find yourself on a Google login page, take a moment to look for any odd tells. Do not put in your Gmail credentials by clicking on a link. If you want to log into Gmail, just type in the actual Gmail address. You never know where a link comes from.
Stay vigilant, everyone.
A research physicist who has become an entrepreneur and educational leader, and an expert on competency-based education, critical thinking in the classroom, curriculum development, and education management, Dr. Richard Shurtz is the president and chief executive officer of Stratfdord University. He has published over 30 technical publications, holds 15 patents, and is host of the weekly radio show, Tech Talk. A noted expert on competency-based education, Dr. Shurtz has conducted numerous workshops and seminars for educators in Jamaica, Egypt, India, and China, and has established academic partnerships in China, India, Sri Lanka, Kurdistan, Malaysia, and Canada.