Avoid Phishy Activity Online

This week a Google spokesperson responded to some phishy activity its users have noticed over the past few weeks. Phishing, a malicious method for obtaining personal details online such as usernames, passwords, and even credit card and banking info, has been reported in higher numbers than usual across several services, including Gmail.

Utilizing a deceptive new method, phishers are encouraging email users to click on mail from compromised accounts. Said emails arrive from a known address and include a familiar attachment (typically, one from a previous email with that sender). The thumbnail preview of the attachment, however, is simply a screenshot of the real thing. When clicked on, the image redirects users to a login page that looks deceptively like Gmail’s own login. As soon as a username and password are entered and the “log in” button is clicked, the phisher receives those credentials, and you are not redirected to your inbox.

This phishing scam sends victims to a deceptive Gmail login screen.

On Tuesday, January 17th, Google’s Aaron Stein told Mark Maunder of Wordfence that the company was aware of the issue, and is continuing to work toward strengthening defenses against malicious activity such as phishing.

Collecting user data through compromising email accounts, i.e., phishing, is not a new practice, but there are two key factors that cause this recent resurgence to stand apart from past efforts: A - it’s effectiveness in getting users to open the email, and B - its high quality replication of certain online services’ login pages.

When one receives an email from a compromised account, it is generally pretty easy to identify phishy activity. Indicators such as content in the email’s body as well as font tend to hint toward a compromised account; But this new method has fooled even advanced web users. Luckily, now that a larger number of users have fallen victim to the same trick, a pattern has emerged that users can now be on the watch for.

It may not be easy to tell a screenshot of an attachment from the original image itself, at least not while briefly glancing at a thumbnail. And it is certainly hard to train one’s eye to look for imperfections or differences in login pages, especially when they are thoroughly hidden and difficult to find. However, there is one constant that plays an important role in this most recent bout of successful phishing - and that’s what displays in a user’s browser location bar at that very crucial “log in page.”

Text we see over and over again in our browser location bar begins to look familiar at a certain point. We may not conscientiously read the entire URL for each website we frequently visit, but most of us have a loose visual reference for some of the text that a lot of those URLs contain. In these instances of phishing, the URL bar is exactly the place one must look in order to notice any difference between the page you’re viewing and Gmail’s actual login page.

Instead of a usual web destination displaying in your browser location bar after clicking on that fake attachment (mentioned above), in its place will be a data URI, or complete file destination - which will include some text resembling that of your Gmail login page. In that case, you will see data:text/html in your browser bar before https://, displaying fully as: data:text/html,https://accounts.google.com.

Here I’ll highlight the phishy section so it stands out from the rest of the file name:


Unlike when it comes across an insecure connection, Chrome provides no visual indicator (such as a change of color in the text or an “x” through part of it) to suggest that something is awry in these instances of phishing. In fact, the text in your browser bar will at a quick glance, look completely ordinary under these circumstances other than the minor distinction mentioned above.

Despite acknowledging the problem in their remarks to Wordfence this past Tuesday, Google has yet to suggest that any aid in identifying such attacks will be implemented in the near future. That leaves the average web surfer to know what to look for, and to fend for themselves.

Share this post

About Tenta

Tenta is a next generation browser designed for privacy and security. Built-in true VPN, full data encryption, video downloader, secure medai vault, HTTPS Everywhere, Tenta DNS, and more.

View all posts by Tenta >

Install Tenta Browser Free!

Start protecting your online privacy today with Tenta Browser.

Download Tenta Browser Google Play Button