Most phishing attacks are fairly simple. They often send an attachment or malicious link and try to get users to give up sensitive information. But this one works a bit differently.
A new attack observed by Word Fence works by hacking one user, then taking a file from a recent attachment that user sent to other contacts with a pertinent subject line. So each Gmail user is sent a document that may seem legitimate from someone they know with a subject line more compelling and less generic than “Fwd: file” or “WOW CHECK THIS OUT!”
When users go to view a preview of the document by clicking on a thumbnail, a new tab opens with a clone of the Gmail log-in page. Thinking they need to re-log into Gmail to view the file, the victims will unwittingly send their username and password to hackers.
Wasting no time, hackers will then repeat the process with the newly stolen credentials, spreading it across social circles. In one attack, a student’s account was hacked and a schedule of a sports team was used as the bait to get others to open.
What to do
Your users may be pretty savy, but this is the kind of attack that can trip up even experienced users. So the best bet is to instruct users on what to look for.
Examine the address bar anytime you’re being told to log into a site. Look for symbols such as the green padlock that show the data you enter can be trusted. And read the site url to be sure it’s accurate and not compromised.
Finally, for Gmail users in particular, two-factor authentication is a must. It barely adds any inconvenience to your day-to-day browsing experience, and it foils attackers like these from gaining access to your account.