Gmail users all over the world are discovering that their accounts have been taken over by hackers. There’s a new phishing campaign that’s catching even the savviest users in its net by tricking them to fork over their username and password.

Researchers uncover high-tech Gmail phishing attack

This comes as a big surprise not only because of how sophisticated this phishing campaign is but also because while Yahoo has made a name for itself as the place where hacked email accounts reside, Gmail has painted itself as the highly secure choice. Usually it is, and hence, therein lies the surprise.

Researchers with Wordfence, which makes a well-known WordPress security tool, warned about the Gmail phishing attack in a blog post. They stated that it’s been far-reaching and that even “experienced technical users” are being caught.

To collect a user’s password, the phisher disguises himself as a contact the person apparently knows and trusts. Then he sends an email with an attachment to the user using his disguised account. In some cases, the attachment might appear to be a PDF document, for example.

How this Gmail phishing attack works

However, the attached file isn’t actually the type of file it appears to be. Instead, it’s an embedded image that’s been made to look like a PDF. When the user clicks on the embedded file, rather than bringing up a preview of the document, it takes him to a fake login page for their Gmail account. The only thing on that login page which indicates that it’s a fake and not the real thing is the address bar in the browser.

But even the fake address in the browser bar isn’t easy to spot because you’ll still see accounts.google.com. Wordfence researchers are now advising all Gmail users to look beyond that part of the address in the browser bar and look at what’s in front of it before they log in to their account. In this case, the phishing culprits are using a “data URI,” which adds “data:text/html…” to the address in the browser bar.

So before entering any information, Gmail users are advised to look before accounts.google.com in the browser bar to make sure there’s nothing else there except “https://” and a lock symbol. This includes whitespace or text or anything. Also the https and lock should be in green. If it’s black, then the login is probably a page. If things don’t look right, think about what you clicked to bring you to the page.

It’s also not a bad idea to enable two-step verification on your Gmail account, if you haven’t already. This way even if someone manages to steal your username and password, they will find it difficult to get into your account. According to Wordfence, some believe two-step verification doesn’t even offer protection in this case, but the team hasn’t seen any proof of concept on this and thus can’t confirm that it won’t help.

Why this Gmail phishing attack is so lethal

The culprits in this Gmail phishing scheme work fast and immediately. As soon as a victim enters their username and password into the fake login page, someone is grabbing them, logging into their account, and taking it over. It’s unclear whether this is automated or there is a team constantly standing by to do this.

As soon as they’re in, the hackers have access not only to the victim’s emails, which they will probably download immediately, but also their contacts. They will also have full control over the email address. Wordfence also warns that this technique is so sophisticated that it wouldn’t take much to adapt it for other platforms.

Google claims to be working on this weakness but issued a standard non-specific statement on a topic like this to Wordfence:

“We’re aware of this issue and continue to strengthen our defenses against it. We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.”