[conspire] 'Frighteningly effective' GMail phishing

Rick Moen rick at linuxmafia.com
Fri Mar 24 10:11:00 PDT 2017


I follow several publication sources on security: most frequently, 
Bruce Schneier's blog, and with more occasionally RISKS Digest and 
Brian Krebs's blog 'Krebs on Security'.  (I recommend all of those.) 

Schneier recently had an item in his blog saying 'This article is right.
It _is_ frighteningly effective', and linked to
http://fortune.com/2017/01/18/google-gmail-scam-phishing/ .
The _Fortune_ article, in turn, cites a more technical piece:
https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/

To review, 'phishing' is fooling a user via misleading content, usually
Web links, into foolishly giving away credentials.  Webmail users have
been very, very frequent targets of phishing.  E.g., a good bit of the
'Russian hackers attack DNC e-mail' was _not_ an attack against an
internal Democratic National Committee e-mail system because they didn't
have one.  They'd outsourced e-mail to GMail, and DNC officials got
fooled by being sent phishing mails.

The fortune article is about a new twist on how to craft a phishing
e-mail, aimed at a GMail user.

As is often the case, the mail is forged to make it appear to come from
a 'trusted' (or at least frequent) correspondent.  Or possibly not
forged, but instead coming from a correspondent whose webmail access has 
previously been stolen.

There's an attached image file.  You click to show an image preview.  
The location bar shows a URL that _includes_ 'account.google.com', but
you see what appears to be a new browser tab prompting you to sign in
(to GMail) again.  You sign in.  Oops, you got fooled.  The bad guys now
instantly have the keys to your account.

The 'attached image file' wasn't actually an attached image file.  It wa
a 'data URI', a very long string that starts out with
'data:text/html,https://accounts.google.com/ServiceLogin?service=mail'
but keeps going to the right for quite a long ways (normally offscreen
in the not-displayed portion of the browser location bar) with more of
that and eventually gets to '<script src=data:text/html ...', which is
the remote URI of a Javascript snippet at the bad guys' Web site that
displays in front of your eyeballs a perfectly simulated GMail login
screen.


I'm getting to my point, so bear with me a bit.


Both the cited researches and _Fortune_ recited the same two 'How to
protect yourself' recommendaitons:

1 of 2:  Verify the protocol (https://) and hostname
(accounts.google.com) and ensure there's nothing before that (e.g., the
'data:text/html,' plumbing used in this attack.

2 of 2:  Enable two-factor authentication.  (There's a warning that
discussion indicates this may not be enough.)



My point:  I think the recommendations miss the mark.  Because there's a
more-basic skepticism that would protect you against not only this
phishing attack but all phishing attacks and many others.

Ask yourself:  Why should the user trust a login screen that suddenly
just shows up?


My friend the late Bob Steiner, master magician, used to lecture widely
about con artists, and a theme running through all of con artistry (and,
indeed, stage magic) is that the artist controls the narrative.  Think
about 'The Sting', 'The Grifters', etc.  At a key moment, the mark is
lulled by a narrative into trusting that 'This is something you know,
something you can rely on', and the entire con relies on the mark 
_not_ exercising initiative and moving the narrative in a direction of
his/her choosing.

When I want to use online banking, or online medical, or online
anything-important, I _never_ use a link provided to me by anyone or
anything but myself.  I rely on my own bookmarks or my typing in the URL
that I personally know.  (This doesn't protect you against other threats
like compromised DNS or routers, but completely defeats phishing.)  

If I were using GMail and suddenly a fresh GMail login screen showed up,
my reaction would be 'Eh, no.  I'll pass on that.'  If suspecting I
really did need to do a new login for some reason, I'd once again type
in the right URL or use my own bookmark.

This principle has broader application.

Once when I was working at VA Linux Systems, an incoming call was routed
to me, from someone who said he was Sergeant So-and-So from Sunnvale PD,
seeking to return some recovered stolen VA Linux Systems stolen gear to
its rightful owners.  I checked with my boss that giving out owner
contact information is OK, and said 'Sergeant, can I call you back via
the Sunnyvale PD main public number?'

'Sure, but but may I ask why?'

'Absolutely no offence intended, Officer, but I have no way of knowing
that an actual Sunnyvale PD officer is calling, because you initiated
this call, not me.'

'Oh, OK.  Let me give you my direct number.'

'Again, absolutely no offence intended, sir, but given that I don't know
for certain that you're Sunnyvale PD, I also don't know that a number
you give me is that of Sunnyvale PD.  Can I be patched to you from the
main public number?'

'Yes.'

'Talk to you in a jiffy.'

When we were reconnected, he said that in decades of police work, nobody
had ever taken that precaution before.  I said I was not surprised.


The researchers and _Fortune_ note that the new GMail phishing attack is
'having a wide impact, even on experienced technical users'.  If people
adopted the elementary precaution I recommend, it would have _zero_
impact on them -- and they would be immune to whole classes of con
artists, human or automated.

Just, simply, stop and think, before you provides _any_ sensitive
information, anywhere:  Did I _create_ this interaction in a fashion under
my control?  Did this happen in the normal way with no funny stuff?
If no, if it's someone else's narrative, back out.  Do it your way or
not at all -- like, politely ending the call _from_ Sunnyvale PD and
make one _to_ Sunnyvale PD using a number you look up yourself and have
reason to believe genuine..  It's really pretty much that simple.

(For a slightly contrived example of where this wasn't sufficient
because of lax security on the call's receiving end, see the superb
Audrey Hepburn / Cary Grant 1963 movie 'Charade' -- likewise a film
about con artists, delightfully disguised as a romantic suspense film.
https://www.theguardian.com/film/2013/dec/13/charade-audrey-hepburn-cary-grant
)





More information about the conspire mailing list