Why you need MFA now: Gmail phishing scheme prepends URL with working script data
Imagine waking up one morning to discover your email address and current password have been plastered onto a billboard on the side of a major highway. It's a bit improbable, I know, but play along.
For some of you, that would be the end. Anyone could paw through your email history, steal personal identifying information, run password resets for other sites, and generally wreak untold havoc.
But, for others of you, the billboard would be a mere annoyance. You'd pick a new password and go on with your day. Nobody would have gotten into your account, your identity information would be safe, and havoc would remain unwreaked.
What is the difference between these two scenarios? Why would some people with exposed email addresses and passwords be hacked, attacked, smacked, and wracked -- and why would others just merely be annoyed?
Multi-factor. It's not just a compound word. It's a defense strategy. The idea is this: In addition to something you know (your email ID and password), logging in requires something you have, or something you are. Usually, that's something like an authentication key generated by your phone, or a fingerprint.
When you use multi-factor authentication, you're requiring an additional factor beyond user name and password.
With that, I'm going to tell you about a new way some bad guys are phishing for authentication information. These nasty folks are trying to trick users out of their user IDs and passwords. And, in a lot of cases, they're succeeding. The trick is relatively subtle, so even the most aware users might be tricked into falling for the ruse.
See also: Password security: The one simple step pros use to lock down their accounts | Keep your Microsoft account secure with 2-factor authentication | How you can use two-factor authentication to protect cloud services | How to use Google two-factor authentication
The big phish
This particular hack was brought to my attention by Mark Maunder of Wordfence, a security plugin for WordPress. Mark cites some work by Tim Ruffles on Gist.
This is a Gmail hack. It starts with an email you get from a friend, who was hacked earlier, and is now a link in a chain of hack forwarders and victims. The email looks legitimate, and even includes an attachment that's appropriate to be coming from that sender.
For example, at the end of the message might appear to be a Word document that is something you previously sent to a co-worker for review. It might be a PDF of something you and the sender have been discussing. It might be an image.
The point is, the attachment sent to you is credible. That's because the hackers have already been in the sender's email account, processed the mail in there, and determined what attachments connect you and the sender. This is social engineering on an automated level.
The thing is (you've already figured this out, haven't you?) the attachment isn't legitimate. Clicking on it opens what appears to be a Google sign-in page, ostensibly because you need to verify your identity before viewing the attachment.
We've all had to do this before, so it's a pretty sneaky approach. I know that I regularly get links from work that require me to login first, before I can see the shared Google Drive page for a specific project. It's like that.
So you're now on a page that looks like a Google sign-in page. Ah, but you're no babe in the woods, are you? You know to check the browser address bar to see if the URL is legitimate. Here's where the subterfuge really kicks in.
As the following image shows, the location bar does, in fact, show accounts.google.com in the URL.
It's possible to embed an entire script using this format.
Notice the "data:" string that prepends the accounts.google.com address? That actually makes the entire link into something called a Data URI, which is a standard way to embed file content inline in a URL. It is actually part of the published RFC 2397 from the Internet Engineering Task Force, dating back to simpler times, the late 1990s.
So, yeah, this exploit is not actually an exploit. It uses a legitimate capability of browsers, albeit one that should have been disabled more than a decade ago.
Why we fall for the trick
Maunder wrote extensively in his blog post about why people are falling for this trick. After all, while the accounts.google.com address is in the address bar, it's not as though the "data:text/html," is not visible. But, argues Maunder, it might as well be.
He contends we've become used to seeing either a green https image:
Green is good.
Or a red X, telling us that a page is insecure:
Red is bad.
His premise is that this exploit creates a URL zone that is normal, not highlighted by either green or red symbols. As such, we just ignore it and go about our business, never really looking carefully at what's prepending the address where we're being asked to enter our credentials.
I think he has a point. We are definitely creatures of habit when it comes to our surfing practices. We jump between hundreds of sites on a given day and don't spend time considering each site. We've developed muscle memory that helps us notice changes (green and red, for example), but without those flags, we might just go on, clicking and filling in our information.
In his blog post, Maunder links to two very interesting discussions on this:
- Proximity, Uniform Connectedness, and Good Continuation
- Content blind spots - thoughts from a usability test
The bottom line: MFA for the win
What is the lesson you should take away from all this? Well, first, some people out there are nasty. Others, like Maunder and Ruffles, are trying to keep us safe. Big thanks to them.
But the bottom line is that you must -- must, must, MUST -- use multi-factor authentication. I know it's a pain. I use my MFA tools probably 20 or more times a day because most resources I use don't support SAML. But MFA will, at least for this generation of hacks, help to keep you safe.
As the late, great Sergeant Phil Esterhaus said in Hill Street Blues, "Hey! Let's be careful out there."
Video: Using two-factor authentication can protect your cloud accounts
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.