Gmail is usually pretty good at stopping spam from reaching my inbox. When it slips up, it reminds me of just how terrifying the modern internet is.
Early one morning, I received this email from someone I know (details redacted by me).
It came from his email, it has his signature at the bottom. This doesn’t look like someone hijacking his email so far.
I don’t put much stock by “Protected by Antivirus” claims – because they provide no proof that scanning has taken place.
I know you shouldn’t open attachments. But it’s a PDF and Google is showing a plausible looking preview. It was early in the morning, and I clicked on it.
*sigh* Last night I had factory reset my phone. I was slowly logging back in to all my services. So this screen wasn’t unexpected for me. And, to be honest, I’ve got a bunch of Google accounts and always have to log in and out of them. OK, let’s type in my email…. WAIT! WHAT?
A look at the URL bar shows
accounts.googledrive.com.adge.gq. That’s not a Google URl. Had they used something like
login.accounts.googledrive.com... it would have been long enough for me not to see the phony
adge.gq at the end. I’d almost certainly have clicked through.
The rest of the page is a pixel perfect recreation of the Google login page. With the exception of the “email provider” choice. If I’d have been less awake, I’m fairly sure I’d have fallen for this.
I put in a fake email just to see what would happen.
Asking for a password – thankfully, the scammers didn’t use Gravatar to show the user a picture of themselves.
I put in a fake password – and got this extraordinary attempt to phish my details.
ARGH! Trying to steal yet more information. That’s a realistic error message. I’m used to seeing asterisks blocking out my sensitive details.
If you fell for this, you’ve given up your email and password – no doubt used to send more spam – and opened yourself up to a barrage of scam phone calls claiming to be from your “email provider”. If you reused your password with any other service – like your phone provider – your entire online identity is at risk of compromise.
I know what you’re thinking. I should never have clicked on that link in the first place. I am usually quite security minded. In fact, before clicking on it, I long-pressed on the link so that Google could show me its destination.
Even a vigilant user gets no protection here from Gmail.
Today these criminals were unlucky. But they only have to be lucky once. Users will have to be lucky always.