Hackers Go After Google Users in Advanced Phishing Attack

Screenshot from homepage of Google Mail of Gmail website
Iain Masterton/Alamy
By Cadie Thompson | @CadieThompson

Hackers are targeting Google (GOOG) users' passwords in a new advanced phishing scheme that is difficult to detect and block, security experts at the firm Bitdefender said on Tuesday.

The attack began a couple of days ago and has managed to spread fast, said Bianca Stanescu, a security specialist at the firm.

"We haven't spotted this type of phishing attack. It's enhanced, usually the security solutions block the webpage for malicious activity before users open it, but this time security solutions receive the encoded content and they can't really block it."

The scam starts with an email that claims to be sent by Google with the phrase "Mail Notice" or "Lookout Notice" as the subject.

The message in the email reads: "This is a reminder that your email will be locked out in 24 hours, due to not being able to increase your email storage quota. Go to the INSTANT INCREASE to increase your Email storage automatically."

A link then redirects the user to a bogus Google login page where the user is prompted to put in their credentials.

Once the hackers receive the credentials they have access to not just a victim's email, but to all Google documents, Google Play, Google Plus and if the person uses the same login information for multiple sites, the hacker will also have access to those.

Google hasn't yet responded to a request for comment.

What's unique about this particular attack isn't only how legitimate the emails appear, but also how the phishing attack is structured. The attack is based on the uniform resource identifiers, or URI, which are the subsets of characters that make up a URL.

Most browsers limit the amount of data that can be in a URI, which makes phishing attacks easier to identify because of how long they can be. But because Google's Chrome browser doesn't display all the information in a URI (making it appear shorter), it makes the dangerous phishing link harder to notice. This specific URI attack shows "Data:" in the Web browser instead of "Https:" which indicates that the Google site is not a real one, Stanescu said.

%VIRTUAL-article-sponsoredlinks%While Chrome is most vulnerable to this particular attack, Firefox Mozilla's browser is also affected, Stanescu said.

Bitdefender has reached out to Google about the phishing scam and expects the company to have a patch in place soon to help block users from accessing the site, she said. However, blocking dangerous sites doesn't mean the threat dies.

"We are constantly collaborating with Facebook (FB), Google and other institutions and letting them know that this is going on. But by the time they block them new ones are created," Stanescu said.

Internet users need to be skeptical when they receive an urgent email from someone they don't know or a reputable institution and should also use strong passwords and two-factor authentication to help avoid these kinds of scams, she added.

Why Your Bank Thinks Someone Stole Your Credit Card
See Gallery
Hackers Go After Google Users in Advanced Phishing Attack

One reason why Marquis' gas purchases might have triggered a fraud lockdown? Filling their tank is a common first move for credit card thieves.

"Some of the things they look at are small-dollar transactions at gas stations, followed by an attempt to make a larger purchase," explains Adam Levin of Identity Theft 911.

The idea is that thieves want to confirm that the card actually works before going on a buying spree, so they'll make a small purchase that wouldn't catch the attention of the cardholder. Popular methods include buying gas or making a small donation to charity, so banks have started scrutinizing those transactions.

Of course, it's not a simple matter of buying gas or giving to charity -- if those tasks triggered alerts constantly, no one would do either with a credit card. But Levin points to another possible explanation: Purchases made in a high-crime area are going to be held to a higher standard by the bank.

"It's almost a form of redlining," he says. "If there are certain [neighborhoods] where they've experienced an enormous amount of fraud, then anytime they see a transaction in the neighborhood, it sends an alert."

(Indeed, Erin tells me that one of the gas purchases that triggered an alert took place in a rough part of Detroit, which she visited specifically for the cheap gas.)

People who steal credit cards and credit card numbers usually aren't doing it so they can outfit their home with electronics and appliances. They don't want the actual products they're fraudulently buying; they're just in it to make money. So banks are always on the lookout for purchases of items that can easily be re-sold.

"Anytime a product can be turned around quickly for cash value, those are going to be the items that you would probably assume that, if you were a thief, you would want to get to first," says Karisse Hendrick of the Merchant Risk Council, which helps online merchants cut down on fraud. Levin says electronics are common choices for fraudsters, as are precious metals and jewelry.

Many thieves don't want to go through the rigmarole of buying laptops and jewelry, then selling them online or at pawnshops. They'd much prefer to just turn your stolen card directly into cold, hard cash.

There are a few ways that they can do that, and all of them will raise red flags at your bank or credit union. Using a credit card to buy a pricey gift card or load a bunch of money on a prepaid debit card is a fast way to attract the suspicions of your credit card issuer. Levin adds that some identity thieves also use stolen or cloned credit cards to buy chips at a casino, which they can then cash out (or, if they're feeling lucky, gamble away).

When assessing whether a purchase might be fraudulent, banks aren't just looking at what you bought and where you bought it. They're also asking if it's something you usually buy.

"The issuers know the buying patterns of a cardholder," says Hendrick. "They know the typical dollar amount of transaction and the type of purchase they put on a credit card."

Your bank sees a fairly high percentage of your purchases, so it knows if one is out of character for you. A thrifty individual who suddenly drops $500 on designer clothes should expect to get a call -- or have to make one when the bank flags the transaction. If you rarely travel and your card is suddenly used to purchase a flight to Europe, that's going to raise some red flags.

Speaking of Europe, the other big factor in banks' risk equations is whether you're making a purchase in a new area. I bought a computer just days after moving from Boston to New York, and had to confirm to the bank that I was indeed trying to make the purchase. Levin likewise says that making purchases in two different cities over a short period of time raises suspicions.

"I go from New York to California a lot, and invariably someone will call me [from the bank], " he says. Since one person can't go shopping in New York and California at the same time, any time a bank sees multiple purchases in multiple locations in a short period, it's going to be suspicious.

Read Full Story