An insidious phishing campaign that near-perfectly mimics authentic Gmail login pages to steal user data has been uncovered by threat alert group Avanan.
“The hacker has two tasks,” said Jeremy Fuchs, researcher at the cybersecurity firm. “Get into the inbox, and get the user to hand over the desired information.”
The latest scam detected by Avanan involves crafting identical copies of account login pages hosted on Google domains, throwing in a fake version of the tech giant’s reCAPTCHA security field to increase the semblance of legitimacy.
Victims have their email addresses pre-inserted into the bogus page, which Fuchs says is a perfect mimic in all but one way – the malicious URL a victim is asked to click on bears no resemblance to the email provider it is impersonating.
“Though the URL is completely unrelated to the company website, the page looks exactly like the real deal,” said Fuchs. “In fact, it’s a bit-for-bit mirror of the actual company site. The end-user will have their email address pre-populated and see their traditional login page and background, making it incredibly convincing.”
But who is behind it?
Fuchs believes the social engineering campaign might be the work of SPAM-EGY, a “phishing as a service” outfit already on Avanan’s radar.
But whereas SPAM-EGY has been observed using the same tactics, techniques, and procedures to redirect the unwary to a credential-harvesting site, it has not previously used Google as a lure, to the best of Avanan’s knowledge.
“This represents an evolution of this type of attack and thus may be carried out by a different group,” said Fuchs. “It is incredibly clever since it matches the login page that the end-user is accustomed to seeing. While it's possible for this attack to work with other forms of Google-hosted email, this particular example focuses on Gmail.”
Cautioning account holders to hover over links to check that they match the company they purport to be affiliated with, Fuchs added: “A clever end-user will see that the URLs don’t match. However, everything else does. In the arms race to fool users, this is one of the more effective campaigns we’ve seen.”
More from Cybernews:
Subscribe to our newsletter