The New Gmail Scam

5 Ways to Defend Against Phishing Attacks

by: Adrian Turika

There’s a reason almost 1 in 3 scam emails were opened in 2016, a number that’s consistently increased since 2011 (Verizon 2016 Report). Phishing is becoming the hackers’ most utilized attack vector. It’s always been the most effective and requires the least amount of heavy computer knowledge. Gmail is pretty good about flagging spam mail and scanning downloads for malware. This new scam, however, exploits a user’s trust by opening a fake attachment from a likely trusted email source – a friend, family member, or colleague. The problem here is that the attachment isn’t real. It’s just an image with an embedded link that looks like an attachment in Gmail. The threat, the link, tricks you into visiting fake sites to steal personal info.

Here’s an image of an attachment in Gmail. You’ve probably seen this before.

phishing email exampleThere’s a way you can differentiate between the two and learn which ones are safe to click. I’ll cover that towards the end of the article. Take note of what link you see when you hover over the image. You’ve probably seen these Bitly URL links before. Read on and you’ll learn how to see where that link leads and how to determine if the links are safe.

But let’s be very clear here: IF you have an image portraying a Gmail attachment, but it’s actually a link, DO NOT click it. That’s your red flag.

When you click these scam links, it doesn’t download anything (via Gmail at least…) as expected. This scam is clever (and dangerous) because the attacker embeds a link in the image and sends you wherever they like. Once they can get you to visit a webpage, they can start stealing information or start injecting malicious code into your computer.

What we’re seeing in this flurry of attacks is more of a – get you to visit a site like ComEd to pay your electric bill, get your credentials stolen, maybe get hoaxed into even giving out your credit card information too. The scary part – the frequency of these attacks is increasing and becoming more and more effective. Your next-gen Firewall and enterprise level anti-virus make it almost impossible for a hacker to break in. You and your employees are the weakest link in your IT security chain.

The good news is there are ways you can easily protect yourself. Below are a few good practices when handling email:

  1. Don’t inherently trust who the sender of the email is. If the information is highly-sensitive, call the sender to verify they sent it or use PGP encryption. PGP encryption will validate the sender of the email and encrypt the message so only the intended receiver with the right key can open it.
  2. If there’s a link in your email, regardless of who it came from – spend the 2 seconds to hover over it and see where it leads. The link to http://www.google.com doesn’t necessarily link to Google. Check for yourself. It’s safe, I promise. Make sure the real link has “https” in the beginning. This ensures it’s a SSL secure website and trusted by a CA authority.
  3. If the site visited is an SSL encrypted site, double check the certificate is active by looking to the left of your URL bar on your browser and look for a lock with text that says “SECURE”. If it says “Non-Secure”, it might just mean their certificate expired, but tread with caution in those cases.
  4. What if you don’t know the link, such as one like https://bit.ly/2ooCy3t, In this case you can use a URL Expander to expand the shortened URL and show you the real website behind it. A quick simple one I use is LinkExpander. It also shows you what the website looks like and gives you brief details about the page.
  5. If you are downloading an item, make sure you have an antivirus (ex: Sophos) actively running and learn to check the HASH (using SHA1+ preferably over MD5) of the file to make sure it’s authentic. If you’re the victim of a man-in-the-middle attack, you could download an item but have it intercepted and resent with malware instead. If you Google “SHA1” or “MD5”, it takes less than 10 seconds to scan most files.

If you’re interested in learning more, CrossRealms will be scheduling security training workshops in the upcoming months. Stay tuned for details!

For questions or concerns about what you could do to help make sure you or your employees don’t fall victim to this scam, please feel free to share it and reach out to me at aturika@CrossRealms.com

 

Written By: Adrian Turika