There’s a new phishing scam targeting Gmail users. Security researchers have stated that the emails are “highly effective” and even experienced, tech-savvy users have fallen victim. The scheme, which has been gaining popularity over the past few months, involves a clever trick that can be difficult to detect.

The attack begins with an email that appears to be from someone you know, along with what appears to be an attachment that the victim would expect to come from the sender. The “attachment” is actually an embedded image designed to look like the gmail attachment preview. When the victim clicks on the on the “attachment”, a new window opens and users are prompted to sign in to their Gmail account. The page looks exactly like the Gmail login page and even the address bar looks legitimate: https://accounts.google.com.

However, this is where the scam really begins.

While it looks like you have been prompted to login to your Gmail account again, this is instead the hackers stealing your data.  The page is actually a data capturing file cleverly designed to appear legitimate. What is actually in the address bar is what’s known as a “data URI,” not a URL. A URI embeds a file, while a URL identifies a page’s location on the web.

 The page is designed to look exactly like the real Gmail login page.

The page is designed to look exactly like the real Gmail login page.

The legitimate-looking part of the URL is followed by white spaces, which prevent the user from seeing anything suspicious, but if the user clicks on the address bar, they would find a long string of characters beginning with “data:text/html,” that serves up a file designed to look like a Gmail login page.

 The code revealed after clicking on the address bar.

The code revealed after clicking on the address bar.

Once the attackers have gained access to the user’s login credentials, they immediately login and send an email to everyone in their contact list using one of the victim’s previously used attachments and relevant subject lines to spread the infection.

“For example, they went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team,” explained Mark Maunder, a researcher at Wordfence, in a posting. “The attackers signing into your account happens very quickly. It may be automated or they may have a team standing by to process accounts as they are compromised.”

The impact of this attack could be widespread, and a potential issue for businesses. Brian Stafford, the CEO of Diligent, noted that the use of free email service providers (ESP) among board members is common. More than 30% of US board members use a free ESP for business communication, and Google, at 44% is the most used.

So how can you protect yourself and your business against the Gmail Phishing Scam?

  • Enable two-factor authentication in Gmail. This requires any new login from an unknown device to also enter a code sent to a secondary email or cell phone. Unless hackers have access to that second factor, it will be impossible for them to access your account.
  • Look for the lock icon next to the URL bar. This indicates a secure https. webpage, which all online services use. Do be aware, though, that many phishing pages are now hosted secure servers so this is not a foolproof way of distinguishing fake from real.
  • Once you’ve verified the lock icon is present, always closely examine the URL when prompted to login to an account. Ensure that the URL is legitimate by clicking to reveal the full URL and not just the condensed version often displayed.
  • Companies that use Gmail accounts or Android devices for work should check to see if any of their accounts have been compromised.
  • Take an inventory of all materials saved and shared on Google Drive.
  • Alert security and compliance teams immediately to begin any mitigation activities necessary.
  • Make all company employees, shareholders, and board members aware of the phishing scam and share the following tips.
 Always look for this green lock icon when entering personally identifying information.

Always look for this green lock icon when entering personally identifying information.

If the scam sounds familiar and you fear you've already fallen for it, there are two other steps you should take. First, change your Gmail password. Once you've done that, go to the Gmail account activity page. It will show you any current sessions that are logged in and you can kick off any that are suspicious.


Breadcrumb is a cyber security and executive advisory firm that assists organizations throughout the U.S. Contact us today for a no-obligation consultation.

Author: Jennifer Guidry, CMO