WARNING A scam involving Google and clever programming sleight-of-hand has hit the scene. It’s not entirely new– a prototype showed up in 2014– but it fools many professionals. Apologies in advance for the technical parts below.
A new month, a new scam, this one brought to our attention by a reader. Although widely reported, this scam hasn’t shown up in the ACM Risks Digest yet. Surprise– the scheme starts with your GMail where a note from a friend or colleague contains a link to another page or document. You click and receive a message you must log in again. Happens every so often, annoying but sign in again for security.
A Google log-in page shows up– the URL field (web page address) contains google.com. Enter your name, enter your password. Click. The document your compatriot sent now appears.
You may not know it, but you just lost exclusive control of your Google account. Your pal didn’t send that email and the link was plucked out of your emails.
Let’s look at the sign-on dialogue boxes again. Which one is counterfeit? Hover your mouse over them for the answer, but the fact is, they’re indistinguishable.
 |
 |
The insidious part is that email web sites– Yahoo and AOL included– train us by periodically forcing us to relog in. Hold on… didn’t the URL box contain google.com?
Yes. Over the years we’ve seen clever fraudsters incorporate target domain names similar to this:
http://w5.to/google.com
The trick here is that the real domain, web address of the bad guys, is w5.to. The google.com is only a web page set up to fool you. Other examples might look like the following:
http://citibank.net.w5.to/index.html
This is a variation of the bad guy’s domain, w5.to, above.
http://citybank.net
Here the bad guys registered a variation of the real name made a little easier by CitiBank using a non-standard spelling. These three examples are reasonably clever and some scammers don’t take that much trouble. However, this new one can catch even professionals by surprise:
data:text/html,https://accounts.google.com/ServiceLogin
The clue something is very wrong lies in the first three words, data:text/html – you shouldn't see that at all. The opening letters of an URL don’t have to be http – they can be file, data, help, about, chrome, gopher or possibly another protocol, but ‘data’ is the only hint the page is abnormal.
Expect Google to quickly mount an update, but beware, look ever more critically at URLs when you’re asked to type in your credentials. It might save your on-line life.
Thanks fo the information. google and yahoo are both serious pains in the ass. They repeatedly ask me to sign into my account. When I try to market a new book and send a series of emails to readers, yahoo freezes my account saying I'm a suspected spammer and I have to prove I'm not. Even my edu account with the university, which never blocks me, is google. I'm lucky to be alive.
ReplyDeleteThe scammers never, ever, ever stop. Thanks for the info, Leigh - we all need this!
ReplyDeleteO'Neil, the bad guys have turned a security 'feature' into a wedge to get inside machines. I've asked myself if it would have fooled me. The answer is I'm not certain. I grow used to those random requests to log in again and if I wasn't watching the URL, it might have nailed me.
ReplyDeleteEve, you're right. They will never stop. I regret posting so many warnings, but they just keep coming.
By the way, I apologize if parts appear too technical. It's tricky writing tech for a broad audience.
What the tech guy at the university tells me is never do what any email says about your account. Log out. Log back into google or yahoo and do it through them. Never go to a link in an email. And change your passwords often. It's aggravating.
ReplyDeleteLeigh, keep the warnings coming. A little paranoia is a healthy thing these days.
ReplyDeleteThanks for the warning, Leigh. I won't claim I understood all the details, but I'll take it as a general reminder to be wary of requests to sign in again.
ReplyDeleteO'Neil, that flat out is the best advice, never click on a link in email, especially if it's your bank or credit card company. Always go to your own bookmarks or type in the address manually so you know it's good. Responsible companies don't put log-on links in their emails.
ReplyDeleteThanks, RT. I need the encouragement!
Bonnie, I'm glad if I can help. It's a terrible feeling to get burned, so I always recommend caution and backups, backups, backups.
Wishful thinking, but if only the considerable brain-power required to concoct the scams were put to good use... (sigh)
ReplyDeleteThanks for the heads-up. We have been warned. En garde!