Even the most security-conscious email account holders have been falling for the new Gmail phishing scam. This advanced hack involves phishing for user email authentication information by tricking recipients into clicking on an attachment and re-entering their Google login credentials.
It works like this: Once someone has fallen for the attack, hackers scan the victim’s account and find the best attachment to email to others from that address. For example, the attachment could be an update on a document you were collaborating on earlier that week with a co-worker. This type of advanced attack works so well because the attachment seems legitimate.
Once an email is sent from the victim’s account, the recipient opens the email and clicks the attachment, which brings them to a Google login page to verify their credentials. This isn’t an uncommon practice, especially if you’re being led to a Google Doc.
However, taking a closer look at the URL proves this page is not real or secure:
A legitimate Google login should look like the above example, with a green lock showing it's a secure URL and no additional text before accounts.google.com.
But, the encrypted URL used in the phishing scam looks like the example above. It's actually a Data URI link, which is a URL prefixed with data. This scheme allows hackers to embed malware into the user’s device once credentials are entered, granting them access to the Gmail account.
Seeing how this scheme is tricking even tech-savvy Gmail users, there are a few critical steps you can take as an MSP to protect your SMBs networks from this attack:
Enforce Multi-Factor Authentication
One of the strongest defenses against an attack like this is multi-factor authentication. This security feature requires users to provide two forms of authentication to access any password-secure platform, including email, from another device. If a customer's login credentials were stolen, the attacker wouldn't be able to access the account without the second trusted device set up for authentication.
If an SMB attempts to log into the fake Google sign-in page, the attacker would get that information, but it’s useless for accessing anything without the added authentication required on the SMB's second trusted device (like a cell phone).
Support BYOD Environments Safely and Securely
Bring-your-own-device (BYOD) environments are all over the workplace, making a Gmail phishing attack of this caliber that much scarier. With SMBs accessing their personal Gmail accounts on cell phones or through a browser while at the workplace, endpoint protection for all network-connected devices is critical. One wrong click or fake sign-on attempt lets a hacker enter the corporate network.
Ensure your customers have a strong firewall that is built to support BYOD environments and enables you as an MSP to monitor employee-owned cell phones/tablets/laptops that log into the corporate network. This allows SMBs to remotely log in or VPN into the network and access corporate folders and emails while remaining secure.
Set up custom security policies to monitor devices and ensure documents are safely delivered. This means if a customer uses a VPN to access the network from a personal tablet, they get the same malware protection as laptops in the office.
Invest in Advanced Protection
Wouldn’t it be great if all users that received Google’s phishing email had Advanced Threat Protection that can uncover malicious attachments in a sandbox environment.
Think of it like detonating a bomb: Your customer clicks the attachment sent in an email to download it, and a download progress bar is displayed. While this progress bar loads, the attachment is sent up to the cloud sandbox emulator where it's opened to show if it is malicious or not. If it's safe, the SMB sees the progress bar complete and can open the attachment. If not, the admin receives an email alert, and the SMB gets an alert that the file is malicious and cannot be opened.
Of course, it's also important to educate your SMBs on the type of attacks that could affect them directly so they can help you be on the lookout at all times. Having advanced security, paired with multi-factor authentication, arms you and your SMBs with the protection needed to avoid network infections and downtime. But, educated users are your final line of defense.
Screenshots via WordFence