Security researchers have identified a “highly effective” phishing scam that’s been fooling Google Gmail customers into divulging their login credentials. The scheme, which has been gaining popularity in the past few months and has reportedly been hitting other email services, involves a clever trick that can be difficult to detect.
Researchers at WordFence, a team that makes a popular security tool for the blog site WordPress, warned of the attack in a recent blog post, noting that it has been “having a wide impact, even on experienced technical users.”
Here’s how the swindle works. The attacker, usually disguised as a trusted contact, sends a boobytrapped email to a prospective victim. Affixed to that email, there appears to be a regular attachment, say a PDF document. Nothing seemingly out of the ordinary.
But the attachment is actually an embedded image that has been crafted to look like a PDF. Rather than reveal a preview of the document when clicked, that embedded image links out to a fake Google (GOOGL, +0.31%) login page. And this is where the scam gets really devious.
