WARNING A scam involving Google and clever programming sleight-of-hand has hit the scene. It’s not entirely new– a prototype showed up in 2014– but it fools many professionals. Apologies in advance for the technical parts below.
A new month, a new scam, this one brought to our attention by a reader. Although widely reported, this scam hasn’t shown up in the ACM Risks Digest yet. Surprise– the scheme starts with your GMail where a note from a friend or colleague contains a link to another page or document. You click and receive a message you must log in again. Happens every so often, annoying but sign in again for security.
A Google log-in page shows up– the URL field (web page address) contains google.com. Enter your name, enter your password. Click. The document your compatriot sent now appears.
You may not know it, but you just lost exclusive control of your Google account. Your pal didn’t send that email and the link was plucked out of your emails.
Let’s look at the sign-on dialogue boxes again. Which one is counterfeit? Hover your mouse over them for the answer, but the fact is, they’re indistinguishable.
The insidious part is that email web sites– Yahoo and AOL included– train us by periodically forcing us to relog in. Hold on… didn’t the URL box contain google.com?
Yes. Over the years we’ve seen clever fraudsters incorporate target domain names similar to this:
The trick here is that the real domain, web address of the bad guys, is w5.to. The google.com is only a web page set up to fool you. Other examples might look like the following:
This is a variation of the bad guy’s domain, w5.to, above.
Here the bad guys registered a variation of the real name made a little easier by CitiBank using a non-standard spelling. These three examples are reasonably clever and some scammers don’t take that much trouble. However, this new one can catch even professionals by surprise:
The clue something is very wrong lies in the first three words, data:text/html – you shouldn't see that at all. The opening letters of an URL don’t have to be http – they can be file, data, help, about, chrome, gopher or possibly another protocol, but ‘data’ is the only hint the page is abnormal.
Expect Google to quickly mount an update, but beware, look ever more critically at URLs when you’re asked to type in your credentials. It might save your on-line life.