22 January 2017

Yet Another Computer Scam

by Leigh Lundin

 WARNING A scam involving Google and clever programming sleight-of-hand has hit the scene. It’s not entirely new– a prototype showed up in 2014– but it fools many professionals. Apologies in advance for the technical parts below.

A new month, a new scam, this one brought to our attention by a reader. Although widely reported, this scam hasn’t shown up in the ACM Risks Digest yet. Surprise– the scheme starts with your GMail where a note from a friend or colleague contains a link to another page or document. You click and receive a message you must log in again. Happens every so often, annoying but sign in again for security.

false URL

A Google log-in page shows up– the URL field (web page address) contains google.com. Enter your name, enter your password. Click. The document your compatriot sent now appears.

You may not know it, but you just lost exclusive control of your Google account. Your pal didn’t send that email and the link was plucked out of your emails.

Let’s look at the sign-on dialogue boxes again. Which one is counterfeit? Hover your mouse over them for the answer, but the fact is, they’re indistinguishable.

fake sign-in box
real sign-in box

The insidious part is that email web sites– Yahoo and AOL included– train us by periodically forcing us to relog in. Hold on… didn’t the URL box contain google.com?

Yes. Over the years we’ve seen clever fraudsters incorporate target domain names similar to this:

http://w5.to/google.com

The trick here is that the real domain, web address of the bad guys, is w5.to. The google.com is only a web page set up to fool you. Other examples might look like the following:

http://citibank.net.w5.to/index.html

This is a variation of the bad guy’s domain, w5.to, above.

http://citybank.net

Here the bad guys registered a variation of the real name made a little easier by CitiBank using a non-standard spelling. These three examples are reasonably clever and some scammers don’t take that much trouble. However, this new one can catch even professionals by surprise:

data:text/html,https://accounts.google.com/ServiceLogin

The clue something is very wrong lies in the first three words, data:text/html – you shouldn't see that at all. The opening letters of an URL don’t have to be http – they can be file, data, help, about, chrome, gopher or possibly another protocol, but ‘data’ is the only hint the page is abnormal.

Browsers have become more sophisticated over the years, so web pages might include additional capabilities such as setting preferences. The ‘data’ keyword allows HTML to be embedded in the URL field, but more insidiously, it allows JavaScript, and that’s how this particular exploit fools us. Following the ServiceLogin part of the URL are dozens upon dozens of spaces so you can’t see what comes next. Far beyond the right side of that URL field is where the real sorcery begins with <script…>. This malware program throws up a fake Google sign-in page to capture your ID and password.

Expect Google to quickly mount an update, but beware, look ever more critically at URLs when you’re asked to type in your credentials. It might save your on-line life.

8 comments:

O'Neil De Noux said...

Thanks fo the information. google and yahoo are both serious pains in the ass. They repeatedly ask me to sign into my account. When I try to market a new book and send a series of emails to readers, yahoo freezes my account saying I'm a suspected spammer and I have to prove I'm not. Even my edu account with the university, which never blocks me, is google. I'm lucky to be alive.

Eve Fisher said...

The scammers never, ever, ever stop. Thanks for the info, Leigh - we all need this!

Leigh Lundin said...

O'Neil, the bad guys have turned a security 'feature' into a wedge to get inside machines. I've asked myself if it would have fooled me. The answer is I'm not certain. I grow used to those random requests to log in again and if I wasn't watching the URL, it might have nailed me.

Eve, you're right. They will never stop. I regret posting so many warnings, but they just keep coming.

By the way, I apologize if parts appear too technical. It's tricky writing tech for a broad audience.

O'Neil De Noux said...

What the tech guy at the university tells me is never do what any email says about your account. Log out. Log back into google or yahoo and do it through them. Never go to a link in an email. And change your passwords often. It's aggravating.

R.T. Lawton said...

Leigh, keep the warnings coming. A little paranoia is a healthy thing these days.

B.K. Stevens said...

Thanks for the warning, Leigh. I won't claim I understood all the details, but I'll take it as a general reminder to be wary of requests to sign in again.

Leigh Lundin said...

O'Neil, that flat out is the best advice, never click on a link in email, especially if it's your bank or credit card company. Always go to your own bookmarks or type in the address manually so you know it's good. Responsible companies don't put log-on links in their emails.

Thanks, RT. I need the encouragement!

Bonnie, I'm glad if I can help. It's a terrible feeling to get burned, so I always recommend caution and backups, backups, backups.

A Broad Abroad said...

Wishful thinking, but if only the considerable brain-power required to concoct the scams were put to good use... (sigh)

Thanks for the heads-up. We have been warned. En garde!