If your employees are users of Google Chrome and/or Mozilla Firefox, your network could be vulnerable to a unique phishing attack targeting the two most widely-used browsers in the world. Several media outlets are covering the uniform resource identifiers (URI) exploit, which Google Chrome and other web browsers utilize in order to display data.
This attack, which is difficult to identify via traditional methods, allows cybercriminals to gain access to Google Play, Google+ and Google Drive. This means that any sensitive information stored within each of those areas is up for the taking. In the case of Google Play that means credit card information. In the case of Google Drive, that means a considerable amount of potentially highly sensitive data.
Other brands have also been spoofed recently using the same browser display vulnerability. On May 8, 2014, PhishMe’s phishing intelligence analysts noticed a quirk in Chrome. When viewing an eBay Canada spoofed login page in Chrome, the only text displayed in the browser address bar was the word “data:” as shown in the image below:
That phishing attack was utilizing what is known as the Data URI Scheme to encode the entire source code of the phishing page into the address bar. As can be seen in the next screenshot; however, Firefox displays the Base64 encoding in the address bar, which a security-savvy user would be more likely to notice.
The second and third steps of the eBay Canada phishing attack were also carried out using the Data URI Scheme. As the victim was enticed to enter more of their personally identifying information, the attacker presented page after page of spoofed eBay pages, eventually collecting the victim’s eBay user ID, password, full name, address, ZIP code, mother’s maiden name, date of birth, credit card number, CVV code, and card expiration date.
The Google account phish in the news also uses the Data URI Scheme. The Google phishing attack was reportedly initiated via an email message in which the attackers posed as Google with the subject “data notice” or “new lockout notice.”
These phishing scams play on users fears that they are being targeted by cybercriminals, yet responding to those very attacks results in them giving their sensitive information to the attackers. The use of the data URI scheme makes these phishing scams easy to identify, but only if users know what to look for.
In the case of the eBay Canada phishing attack, the word ‘data’ may arouse suspicion, but would that suspicion be enough for the user to recognize that this was in fact a scam? For many employees, Base64 encoding displayed in the address bar may not even be noticed. Unless employees are trained to recognize these signs of phishing attacks, there is a high chance that they may be fooled. That doesn’t just mean that they will be handing over their eBay credentials. Many phishing attacks on businesses are conducted to obtain sensitive business login credentials.
Would your employees be able to identify phishing scams like these? Do you provide training to ensure that ALL of your employees are aware of these indicators of a phishing attack? Do you test that knowledge to see whether it has been taken on board and is being applied?