20:06 18 January 2017
A new phishing scam targeting Gmail accounts has been described as one of the most convincing yet, fooling even experienced technical users.
The fake email contains a link to a PDF file that sends users to a fake Gmail login page, allowing hackers to obtain their login information and sift through their sent messages folders to pass on the scam.
The Gmail login page do not seem to trigger Google’s HTTPS security warnings, which normally warn users if they land on an unsafe page.
Mark Maunder, CEO of the security service for WordPress, discovered the scam.
He said: 'The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.
'For example, they went into one student's account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.'
To avoid being a victim of the scam, Mr Maunder said: 'Make sure there is nothing before the host name 'accounts.google.com' other than 'https://' and the lock symbol.
'You should also take special note of the green colour and lock symbol that appears on the left. If you can't verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page.'