LH January 12, at am Ha, I was thinking this too - how to explain to my father and stepmother?! I don't think it can be done RobM January 16, at am The lock symbol isn't a sign that you're connecting securely with your intended site. It is simply a sign that your communications between yourself and whoever you're talking to are secure. If I buy mail. Samuel Femi January 18, at am Thanks I thought I was the only one thinking about that. Michelle W January 13, at am There's an even easier way to explain it.
They are already logged into their Gmail, so they should not be asked to login again. Tonia January 16, at pm That's an excellent point Michelle, although I wonder if the average user will realize that a prompt to relogin to your gmail is indeed a red flag? Its scary what people can do with all that hacking ability!
Wide Impact: Highly Effective Gmail Phishing Technique Being Exploited
Beamrun January 14, at pm You can also enable 2-step verification for them moms, dads, grandparents, children. They only need to enter the phone confirmation once in every new device they start using. Mike January 18, at am 2-factor authentication is critical, but it will not prevent me from falling for a phishing site. Yes, it will prevent an attacker from gaining access to my mail account.
But if I use my password elsewhere, they still have my credentials to trying using at other sites. A password storage app like 1Password makes it easy to keep separate passwords for every site, so getting access to one site limits the damage to that site. And the best answers to those "security questions" used as an alternative to 2-factor are made-up!
It's far too easy to find your real mother's maiden name, schools, old addresses, etc. Chook January 12, at pm Using an easy to use App for Gmail 'might' be an alternative. I say might because I'm no web security guru. It looks like this is done on a browser level where the address is not the real Gmail address, using an App, I guess would avoid this. Lauren Barnes January 13, at am I fell for this the other day I did change my password. Is there anything else I can do? Most of us, young and old, too, should be able to handle looking for the green lock.
It's the ounce of prevention. This means that all apps need to ask for your permission again before they have access to your data so your google account would be safe again. If the attackers gained access to other services by resetting your password then changing your google password would not have any effect so its probably a good idea to change all your passwords. Sash January 14, at am I bet ur kids already know. If not, they are prolly too young and shouldn't login anywhere anyways at least not without supervision. Beamrun January 14, at pm You can enable 2-step verification for them.
Berrie Pelser January 12, at am Wow thx! Alan Gunn January 12, at am I suspect the answer was vague and unhelpful because it was made by Google mail help staff. Google mail support cannot change the way the browser address bar responds to secure and insecure URLs. Other parts of the google group that support Chrome might be interested in implementing these features on Chrome and they could also probably influence other browser suppliers directly or indirectly to implement similar features on their browsers.
Daniel January 12, at am Why would a 'technical user' not be using 2 factor??? StanG January 12, at am Because for my private use of services that do not involve money it's too much of a hassle. Besides, I'm confident in my ability to recognize a phishing attempt however good it is, as long as the browser shows me all I need to know in the address bar lock, protocol, domain. Someone January 16, at am "Too much of a hassle? You email is the single point of failure for all other accounts - if your email is compromised then an attacker can trivially gain access to and remove your access from any other account associated with that email address.
Emanuel Costa January 13, at am You got it. And nowadays 2 way Auth isn't just for the tech savvy people. Hopefully it's not repeated on other sites, but you know These things can happen. Mike January 25, at pm I would consider myself a technical user that does not use 2factor. Short answer: Privacy. I have several gmail accounts that are only accessed through different SSH proxies i. My phone number is only tied to a single account which I use on my phone.
I connect to that account through the same proxy every time. My other accounts I connect to on other proxies. The reason for this is so that Google cannot correlate the different accounts as all belonging to the same user. V K Rajagopalan January 12, at am I think, generally people do not pay such in-depth attention to the address bar, hence these hackers have become so effective.
Aaron January 12, at am Thank you for the article. It's really important. Thank you once again! Tom Andersen January 12, at am I would love a browser setting to only allow forms to be filled in on https sites with real certificates. Brother Tony O January 12, at pm Seems like an obvious feature now that I've read your comment.
Hopefully, the right people pay attention to you. Donna Perry January 12, at am I just wanted to leave this comment of appreciation for your service. Although right now I'm not financially able to upgrade to the full version of your plugin I do see the value of your services. I'm not real technical savvy I do read your alerts and post which helps me understand some things. Keep up the great work.
Paul January 12, at am Thanks Mark! I'd like to say this wouldn't fool me, but if I was distracted Nadine N. Bone January 12, at am Thanks for sharing this detailed update, this is very helpful! Grant January 12, at am This is very similar to how eBay phishing campaigns work. For example: you receive an official looking inquiry on an existing note: public auction you are running, and click the "Respond Now" button.
The combination of recent and familiar data with the official look is tricky. This a great reason to never click links in emails out of convenience. Just navigate to the website or service manually on you own i. For many, that's a hard habit to break. Charles Tryon January 12, at am Where the "don't click on links in email" breaks down is when you click on what appears to be an email attachment for a recognized image or file from a trusted source.
This isn't just an obvious "Click here to log into your bank account". You are expecting to see the file, and instead, get a "Please log in to your account again. Loughlin McSweeney January 12, at am Thanks so much for the heads up on this. This is a clever phish, I could see myself falling for this. Not now though. Thanks again. Etienne January 12, at am Great post! Thanks for that! How can I know if my account has been hacked?
Do you know how to check that? Don't be surprised if you were hacked in a data breach at some point. Just make sure you have changed all passwords since then and enabled two-factor. The site is run by Troy Hunt who is a reputable security analyst, so don't worry about entering in your email. It's a trustworthy site. Etienne January 13, at am Thanks!! Mark Maunder January 17, at am Works for me. It's a valid EV cert. Are you on public wifi?
David Stevens January 12, at am Google now has at least three ways to authenticate. Do you have an opinion about which method would be most secure? You can read more here:. Jonathan January 14, at am There's a fourth that's possibly even better: using a physical USB security key e. You never see the cryptographic code exchange, so you can't be tricked into giving up the 2nd-factor code.
I would also point out, while it is true that I seldom voice my opinions on such matters publicly, this article is very well written. You cover the danger, the method, and the flaws not just in how google is handling this but also in human nature which allows these exploits the succeed. Your suggested solution is still based upon humans learning what to watch for, even if it is an amber warning and icon that should grab their attention, but it seems that these days many people have become lazy or in a hurry thus opening the door for exploits such as this one.
I forget now who said it, but to quote them anyway: "A shield does you no good if it is hanging on the wall when the arrow strikes your heart. I would also point out that Google does have some limited protection for those who use features like the bar code verification and a registered smart phone. Cheers, Peter.
Emiel January 12, at am Thank you for this post! Kyle January 12, at am I thought this part was particularly clever: "something that looks like an image of an attachment you recognize from the sender". This is something I don't think would catch me on a good day since real gmail attachment previews have some onHover features , but when you're tired or rushed And I think one of the original Hacker News posts mentions that the only reason he noticed something was phishy :D was because that image was sliiightly fuzzy on his high-DPI monitor.
Nnaemeka January 12, at am Thank Mark, I was attacked by a similar mechanism. One contact who has had financial dealing with me sent me a pdf attachment. When I clicked the attachment, I was asked to enter my Gmail password to unlock it. But I reasoned that no one has the right to ask me to use my Gmail password to unlock some file.
I took another look at the email the sender used and it was that of the acquaintance. I had to arrive at a conclusion that the guy's email has been compromised. Something similar to what you described has also happened earlier. But in this case the sender is not known to me. So, I refused to log in when the log in page was presented, upon clicking the attachment the scammer sent me. I almost fell prey to it. Mark Maunder January 12, at am Thanks for sharing. Glad you didn't fall for it. Send us screenshots if you have any.
Becky Melton January 12, at am Won't the Gmail user get an email from Gmail alerting that there has been a login from a new browser? Or do the hackers have a workaround for that? Charles Tryon January 12, at am If the compromised account is being monitored, then the hackers can simply delete the alert before you have a chance to see it. Or, maybe they can turn of the alerts in settings. This would only warn you if you had a separate email account enabled for alerts. Jim Sto January 12, at am I can post my username and password on every bill board worldwide, I can even give it to you, unless you have my phone you won't get anywhere.
This is not really a big issue and Gmail knows that. Ken January 12, at am One thing you can do in Gmail in a browser to see if you've been hacked is to check your login activity. If you see any logins in your history from places you don't know, you may have been hacked. Mark Maunder January 12, at am Thanks Ken.
I used your comment to update the post almost verbatim. Very much appreciated. Emmanuelle Hessel January 12, at pm Thank you for this info. Checking my recent activity in Gmail only seems to go back to a few hours. Stuart Buckell January 12, at am Thanks for the informative post,. I should add; One of the best ways to protect yourself against this attack is to add 2-factor authentication to your account, and use Google Authenticator application with your phone. This will almost guarantee your safety, since a new login from a new browser will trigger 2-factor process they will not have your cookie , resulting in your password being useless.
JamesMac January 12, at am Stuart, if you are logged into your Google account, then this link should cover it:. I use that system with my smart phone and while I have had one breach via ubisoft having been hacked, my Google account has never shown a breach to date.
Knock on wood. William Bennett January 12, at am Several versions ago Safari started doing this "helpful" little thing of not showing the full URL of whatever site you're on in the address bar. I can think of NO advantage to it and as this article points out there are severe disadvantages. Graham January 13, at am Unfortunately, in their "wisdom" Apple have removed this option in Safari for iPads. This is certainly the case for iOS 9 upwards. Michael Curtis January 12, at am Thank you for this information. Jeremy January 12, at am I was able to reproduce the URL aspect of the hack easily enough, but when I added the hack code to a link in an email and sent it from server-side code via PHP, Gmail stripped the link from the email.
I tried several escape combinations but Gmail either removed the link or re-wrote the URL appending the sender domain, which broke the hack. The source code was correct, so the code wasn't modified by my SMTP during the send, so it must have been Gmail that stripped the hacked code. Steve January 17, at am There's no requirement that the hackers or victims use Gmail, so Google's protection in this regard might not be implemented by other email providers.
Linnet January 12, at am I'm curious how this type of email would appear in an email client such as Outlook, rather than on the web? Will it get through as a legitimate email? Paul Guilfoyle January 12, at am Thanks Mark for another great post. Shared on my Fanpage. All best, Paul. Roland January 12, at am I've read about this a while ago, but hadn't thought it was "in the wild". I'll translate the easiest to understand least technical, most to-the-point parts of this article to Dutch and place it on my Facebook tomorrow to warn my less technically inclined friends and family. Mark Maunder January 12, at am Thanks Roland.
Post the link here when you have done that. Mark Maunder January 12, at am If you copy and paste the password you will still be caught by this. If you are using a browser plugin then it may behave differently. Jose Flores January 12, at am Great info. I surely will keep my eyes open for this. Mike Davis January 12, at am Thanks so much for keeping us apprised of these sorts of things, Mark. I've passed the link to this article along to the head of security of my current client's company, and shared it on FB.
Pwned on 1 breached site and found no pastes subscribe to search sensitive breaches. How do I figure that out and what do I do. Does that mean they have access to everything now? How do I know how long ago that happened? Jeremy January 18, at am Paula, you should consider:. How central to your online presence is the account for that breached site? If it were your main email account, for example, that's rather crucial and has great potential for harm. Did you use the password for the breached login with any other site logins? Re-using passwords is a bad habit of many internet users, and can be stopped by simply using a password manager to create and store long, unique passwords for every login you have.
Be sure to change the password and any other authentication measures like security questions, recovery codes, etc. Your answers to those two questions I've asked correlate to your question "does that mean they have access to everything now?
To answer your question about time of breach, you can probably simply Google "[name of breached service] breach" to find articles about it. Many high-profile breaches will be mentioned by several websites and reading such material may give you a clearer picture of when it may have occurred. Jerry January 12, at am only works on single layer security accounts.
If you sign in using cell phone verification. Richie January 12, at pm May we use some of your images in our own blog? We will provide a credit and link to this article. Mark Maunder January 13, at am Sure. Bowie January 12, at pm Haven't seen anything unusual lately. I usually don't log out after I check my emails so I don't know if this keeps out access by others. Kathy Cox January 12, at pm Any idea if this same technique works on company emails using google for business?
Mark Maunder January 13, at am Yes it does. Don't be surprised if your email shows up on the list. Be sure to change your password for the site listed and setting up 2 factor authenication, at least for a while to make sure they aren't getting back in. For this reason it's only really useful for large data breaches against organisations, not phishing attacks on users where attackers will generally keep compromised details to themselves. My website tech just sent this. Thanks for the info. In addition - if you've received an email in your Gmail account, then you're already signed in - so to click on a link that requires you to sign in again should be another red flag that something's not right.
It all seems innocent and we can easily get caught up in the process - but small precautionary actions like looking at the URL can be the difference between safe browsing and getting hacked. On the flip side - if your account is compromised, it is imperative to change your login details primarily passwords.
Also, if you think it's appropriate - perhaps share on your social channels that your account has been compromised and that your contacts should ignore messages from your account for the next little while or something to that effect. Someone January 16, at am This advice is all well and good in hindsight, but:.
This attack is particularly malicious because it acknowledges the behavioural habits of even vigilant and security-savvy folks and finds a crack in them. Anne January 12, at pm Hi Mark,. It also reminds me of a post SANS. ORG did this week about realtors being targeted.
It too had a page where people logged in. More details here:. If I have changed my password, and am not particularly disturbed by the increased number of spam, am I ok well, I don't love it, but what can I do? Also, what can hackers do with usernames other than having it as one less thing to guess? Lee January 13, at am I have the same question Ben does.
I've never resigned into any accounts but two of my three accounts not gmail, ironically have been pwned. Heather Wimberly January 12, at pm The security on Gmail is so friggin' secure that I have found myself locked out of my own primary account with no possible way to get back in because Google tells me they can't verify my identity. I had to set up an alternate identity with an alternate persona and now you're telling me that may have been hacked? Go hackers! Moira LaPorte wishes you all the best of luck figuring out who what when where and how anybody is on the system I am using now.
If you do figure it out, please let me know. Rob Roy January 12, at pm A good reason to never leave email on a server. This will cause them all to be moved and deleted on the webserver too. Safer is buy a domain name, most come with a free email account you set up on them. These hackers don't much go for individual smalltime domain names, but the large ones from yahoo, gmail, aol, etc. Craig January 12, at pm Great post again Im always telling clients to watch this more so know what with wordpress and Google moving more to https site for better seo.
It amazes me the amount of friends and clients that roll their eyes at me to thinking yes yes we know but never take action Vicky W. January 12, at pm Sharing this. Also thinking through the two-factor authentication since I have it turned on. Wrapping my brain around that piece. If this happened to me and I clicked the image, it would take me to a login page, but Google would NOT ask me for a 2nd authentication at that point because I would be logging in on a browser I already use.
Depending upon how the hack happens Then any time they logged in after that, it wouldn't send a message because no second step would be required. If, however, the hack simply sends them my login credentials, which they tried to use later, then since they are on a different browser, the 2-factor authentication should kick in, send me a message when they tried to log in at some point later, and I would know something was wrong. I guess it just depends upon how they have their hack structured, if they're immediately in the account live and making changes to the settings, whether that is done by software or a person.
I'd think if they can write up a hack, they would be able to make that happen too, at which point the two-factor authentication couldn't help. Roland January 13, at am Just thought I'd share this: Chrome has different ways of displaying the security status. If, like me, you use Chrome's incognito windows a lot, the icons are white instead of green, making it a bit harder to see whether a site is secure or not.
- Member comments!
- The Secret World (The League of Legends Book 1).
- Navigation menu.
- Item Preview?
- Mutation: A Kid Sensation Novel (Kid Sensation #2).
Internet Explorer 11 is similar in behaviour: EV-certificate secured sites get an entirely green address bar, displaying the certificate holder's name after the lock-icon. The icon gets shown on the far right in the address bar though, so it's a little less obvious whether you're looking at a secured site or not than it is in Chrome. Jennifer Bouchard January 13, at am If i was affected, how do I fix it? Change password and enable two step verification? Anything else I need to do. Mark Maunder January 13, at am See the blog post.
Irma January 13, at am Thanks! Mark Maunder January 13, at am Thanks! Kim January 13, at am Yup. This happened to me about two years ago. The hacker got into my email account found an email I'd sent to my bank requesting a wire be sent to a vendor. The bank failed to check the authenticity and didn't get my signature for the wire their error.
Fortunately the bank corrected the error at their own cost. To my knowledge, the hacker was never caught. Sandra January 13, at am Thank you for taking the time to research this phishing hack on Gmail accounts and then translated in a way that even an average user could understand. Greatly appreciate. Jonathan M January 13, at am That's clever on the part of the hackers. This page goes from discussing the mechanics of the phishing process to the appearance of the address.
Target of WhatsApp Hack Says He Fears More Victims Are Out There
The first is about gmail. The second is about the browser. I assume Google's Chrome is being discussed. Browsers should make it easy to see the domain hosting the page of the moment. All browsers, not just Chrome.
BBC News Navigation
A dedicated domain display window would accomplish that. Dan January 13, at am Thanks for constantly keeping us up to date with all the Wordpress issues Mark! I got as far as the second sign in and smelled a rat. After some thought I used the old "turn it off, then turn it back on" fix from much earlier days. As far as I know it worked, but I am checking the haveibeenpwned website. Thank you for waknig me up.
I am assuming now that I changed everything they no longer have access? What about the info they have on hand? I must say even a non technical guy like me could understand about the attacks. I also checked my accounts on that website you suggested. Jen January 13, at pm I noticed two logins from the East coast over the last two days -- and I'm on the West coast.
When I clicked for more information, it turns out the login is for UnrollMe, which culls newsletter signups into one digest. Ken January 13, at pm Thanks a lot for the post Mark. Very helpful, so I've shared with my friends as well There is some unseen motive that we have yet to uncover as a result of this attack.
Was it an insider threat? Was it due to insurance fraud? Doubt it; I really hope not. Was it just some random hacker doing it just because they can? I feel terrible for the owner in having to deal with this. I really hope the truth comes out and whoever did this suffers for their actions. I am sorry, but I no sympathy for this guy. There is no way this should of happened but, He should of had an off site back up some how of something at least for the past 10 years, or how ever long they have been open. Sorry to hear this, but I bet you just taught a bunch of others to get off their ass and make sure they have better security, updates, and more back ups.
With the size of data stores doing tape backup becauses less and less practical as it can take months to do a single backup and with 18 years of emails from so many customers those numbers add up. IT is just too big and complicated for one person to do it all right all the time. When there are paying customers involved it is just irresponsible. Anyone know what the pricing was on this solution? People paying bottom dollar you get what you pay for…. A decent tape library costs less than ten thousand dollars, and any decent backup program Veeam, for instance can do forever forward incremental backups and synthetic full backups.
Lots of people talking about offsite backups and offline backups and being highly critical of the data protection arrangements for this company. For more than a decade every new entrant into the backup market has been solely online disk based, at least initially and come in with a message that tape is dead.
A large majority of the data protection industry is at least in part to blame for this kind of disaster. We need to look at our messaging and reign in marketing departments who insist on simple, easy generalisations to get the sale. Both offsite tape and cloud object storage are still vulnerable to a dedicated attack — the hosting providers can be attacked the offsite vault can be attacked, though these are much higher bars to reach.
Disclosure: I work for one of the data protection vendors who still have a tape offering. It does indeed sound very difficult to grasp and quite suspicious with the alleged wrongdoer leaving nothing to be retrieved and having access to different firewall door accesses. He help me erase my driving records with few negative items on my credit report and he also increased my credit score to excellent plus within 72 hours. He also pay off my credit card debts within few weeks, all thanks to him.
His service is fast with a substantial service charge. Contact him now and be free. He help me delete all the negatives items on my credit report and help me increase my credit score to which is a golden score within 72 hours. Very high-density of storage with DIY possibility of data retrieval if the companies that do it go out of business. Unlike tape, film is unaffected by magnets, seismic shocks rattling hard drives, hacking, and third-party mix-ups.
All cloud storage is susceptible to screw-ups and mechanical failure. Tape degrades after 5 to 10 years and has to be re-copied. What happens when your tape reader busts and the company that encrypted it goes belly up? With care, archivists have films going back at least years. I refer this Credit Wizard to those who have a fixed date to fix their profile. He will surely deliver if you maintain your side of the bargain. I had credit scores of Transunion Equifax in January.
Krebs on Security In-depth security news and investigation. February 12, at pm. February 13, at am. I have nothing to add for this topic. Dave Howe.
February 14, at pm. Mike Acker. February 14, at am. February 13, at pm. I thought that was SOP for anyone in the business! Security is a Process, not a Product. Harris S. Dave Adams. Jochen Daum. Dean Hanna. Newman I agree, this may be any criminal organization trying to eliminate evidence of a crime s. Andina Sideratos. No name. Possibly a spearphishing attack with a RAT tool? Troy Clark. February 15, at am. James Beatty. Datastore size is no excuse for not having proper backup. Fraser MacIntosh. February 18, at am. Penny Raver.
February 18, at pm. February 20, at pm. Kristian Gendry. February 21, at am. Steve Johnson. February 21, at pm.