
The closest I've ever come to falling for a Gmail phishing attack - kukx
https://twitter.com/tomscott/status/812265182646927361
======
jhardcastle
Sysadmin at a school: we use GMail for our students and faculty, and we got
hit by this hard right before the holiday break. Three employees and a handful
of students all got hit by the attack within a two hour period. It's the most
sophisticated attack I've seen. The attackers log in to your account
immediately once they get the credentials, and they use one of your actual
attachments, along with one of your actual subject lines, and send it to
people in your contact list.

For example, they went into one student's account, pulled an attachment with
an athletic team practice schedule, generated the screenshot, and then paired
that with a subject line that was tangentially related, and emailed it to the
other members of the athletic team.

They were using bit.ly to obscure the address (in Russia). We had to take our
whole mail system down for a few hours while we cleaned it up.

~~~
colinbartlett
Requiring 2-factor auth would prevent this from being exploitable, right?
Probably impossible in a school environment but in an enterprise situation,
more palatable perhaps.

~~~
Jarwain
My school is actually rolling out optional 2-factor auth. I'm not a fan of the
system they use^, but it's neat that a University is taking advantage of some
security best practices.

^Instead of using "standard" 2-factor that generates a code on-the-fly within
an app like GAuth or Authy, users receive a text message with 10 codes. The
first digit of every code increases sequentially (0972,1042,2512,etc), must be
used in that order (0 code on first login, 1 code on second, etc.), and the
page informs the user which number they're on.

~~~
jonoberheide
Sorry to hear about your experience, Jarwain!

Duo offers a choice of authentication methods, depending on the usability and
security requirements of your application or organization.

Duo Push is actually one of the easiest (and most secure) authentication
methods, as one of the commenters pointed out:

[https://www.youtube.com/watch?v=tPLxe9HUDjY](https://www.youtube.com/watch?v=tPLxe9HUDjY)

It might be worth pinging your IT/security dept to ask about enabling Duo Push
as an option or to change the policy for SMS passcodes (eg. you can just have
one passcode sent instead of ten).

\- Jon Oberheide, Co-Founder & CTO @ Duo

~~~
Bamberg
Duo does work as advertised, and my uni uses it, but the privacy policy allows
for a lot of personal data collection.

tldr: "Duo Security does not sell, rent, or trade and, except as described in
this Privacy Policy, does not share any Personal Information with third
parties for their promotional purposes." But Duo still collects A LOT of data
on you.

From the policy: "Device-Specific Information: We also collect device-specific
information (e.g. mobile and desktop) from you in order to provide the
Services. Device-specific information includes:

attributes (e.g. hardware model, operating system, web browser version, as
well as unique device identifiers and characteristics (such as, whether your
device is “jailbroken,” whether you have a screen lock in place and whether
your device has full disk encryption enabled)); connection information (e.g.
name of your mobile operator or ISP, browser type, language and time zone, and
mobile phone number); and device locations (e.g. internet protocol addresses
and Wi-Fi). We may need to associate your device-specific information with
your Personal Information on a periodic basis in order to confirm you as a
user and to check the security on your device."

The policy continues to state that Duo may use this data for
analytic/advertising purposes (although only in-house) as well as to comply
with legal requests, subpoenas, NSLs etc.

Duo isn't collecting your data for nefarious purposes or to sell it to other
companies but they still are collecting A LOT of it. Other two factor methods,
like the one's used by Google and Facebook, allow clients to install their own
code generators that don't collect personal data or even need access to the
internet. Of course these methods don't have push requests that you can just
approve rather than type in the code.

~~~
tripzilch
also, if it's a US company and it ever goes bankrupt/sells its assets, third
party buyers aren't bound by any privacy policy whatsoever. yes, this is crazy
and it means US privacy policies are basically meaningless; best just don't
give them your data, but what can you do. personally I believe that collecting
the data and pretending a privacy policy makes it okay, is nefarious by itself
already.

------
timruffles
I reported this a back in March 2016, and Google said it was not an issue.

Analysed whole attack here:
[https://gist.github.com/timruffles/5c76d2b61c88188e77f6](https://gist.github.com/timruffles/5c76d2b61c88188e77f6)

This was the response I got:

> The address bar remains one of the few trusted UI components of the browsers
> and is the only one that can be relied upon as to what origin are the users
> currently visiting. If the users pay no attention to the address bar,
> phishing and spoofing attack are - obviously - trivial. Unfortunately that's
> how the web works, and any fix that would to try to e.g. detect phishing
> pages based on their look would be easily bypassable in hundreds of ways.
> The data: URL part here is not that important as you could have a phishing
> on any http[s] page just as well.

~~~
IshKebab
Ah the classic "ugh. we don't want to have to fix this, so here are some
bullshit technical reasons why it's impossible and a bad idea".

~~~
elastic_church
yeah but we all do this everyday to the designers

------
scandox
Had the same exact experience in August.

Amazing thing was I KNEW the email was phishing. I was asked to look at it by
someone internally who was suspicious. I forwarded it to a Gmail account I use
for dodgy items. I fired up a VM and logged in to the Gmail account. I looked
at the email. I briefly examined the raw message (too briefly). Then I clicked
on what I still thought was a Google Drive attachment.

My first thought was "oh I've been logged out of Gmail for some reason". I was
just about to login again when I decided to double check the URL and finally
saw what was going on.

I think most normal users would be very vulnerable to this. It's very subtle.
Luckily the guy in accounts is paranoid.

~~~
ericleung
The scariest part is that you knew that there was something suspicious and
still [almost] got phished. There's no reason to believe anyone (technical or
not) that wasn't looking out for something suspicious would have possibly
avoided the attack.

Pretty nasty phishing attempt, way more subtle than past attacks.

------
frogfuzion
I think its naive to believe that even the most tech savvy are immune to
phishing. People get tired, hurried, stressed - and during those moments
anyone's guard can be let down.

~~~
cyberferret
Yes - I am vigilant to almost a paranoid level, but one day a phishing email
came from "Australia Post" purporting to be a missed delivery notification on
a day that I was expecting a delivery and thought I had missed the driver.

I was in a hurry, and frustrated and was a millisecond away from clicking the
link when some gut feeling told me that something was not right. Closest I've
come to date, and it worried me.

EDIT: Sorry, I meant to respond to @soneca below, as this relates to phishing
emails arriving with impeccable timing...

------
slazaro
The only two things that I think could have prevented me from falling for this
is: I don't have images loaded by default for unknown senders, and LastPass
wouldn't match the domain and therefore wouldn't show the button to
autocomplete on the password box.

Depending on how observant I'd be at the moment, I might check the URL bar and
see something fishy. But I could fall for this, which is worrying.

~~~
mike-cardwell
"I don't have images loaded by default for unknown senders"

Does this just prevent the display of images which require fetching from a
remote URL, or does it also include images which are embedded in the email as
attachments?

~~~
hobarrera
Aside from the fact that this was not an external image, it was also emails to
him by a friend.

------
dvh

        <a href="data:text/html,valid_looking_url    <script src=data:text/html;base64,YWxlcnQoMTIzKQ==></script>">clickme</a>
    

Or if you want to reproduce it console:

    
    
        a = document.createElement('a');
        a.href = 'data:text/html,valid_looking_url    <script src=data:text/html;base64,YWxlcnQoMTIzKQ==></script>';
        a.textContent = 'clickme';
        a.style.position = 'fixed';
        a.style.left = 0;
        a.style.top = 0;
        a.style.zIndex = 9999;
        document.body.appendChild(a);
    

The "valid_looking_url" will appear in document but it can be hidden from page
by script or made transparent using css

------
xmodem
Thanks for sharing this - this is fiendishly clever. Even with all the
investment in infosec, we're still woefully unprepared to deal with this type
of attack. We need to start thinking about new approaches to protect users.

~~~
mike_hearn
It's a hard problem but the industry isn't doing as much as it could do.
There's low hanging fruit that has gone unharvested for years at most big
companies.

1\. Reform the browser address bar. Safari does this right. Chrome, IMHO
shamefully, does not. The address bar is completely ignored by a large
fraction (I've read it's about 25%) of users because it's full of meaningless
technobabble. These users navigate _entirely_ by sight. Weak sauce changes
like making some of it light grey instead of black makes no difference. The
usability nuclear holocaust that is the browser address bar is in my view THE
leading cause of phishing because it's rendered users unable to identify _who_
they are talking to when they submit data via the web. The address bar should
show the domain name _only_ , or the EV identity when that's present, and the
browser industry should adopt practices to push usage of EV SSL everywhere.
Only EV SSL is a feasible approach to get the actual, legal, verified identity
of a server operator on the users screen in a reliable and scalable way.

2\. The big networks need to lead by example and adopt EV SSL, see above.

3\. Kill re-authentications dead. Google was talking about this internally
around the time I was working on the account system there, but I don't recall
if they ever did it. For as long as web sites routinely ask users to re-
authenticate at seemingly random times users will type their password into any
page that looks right without thinking. Only by making authentication a very
rare event can you start to convince users to take more care over checking the
site origin. I think Facebook has got this right: I don't think I'm ever asked
to sign in to Facebook unless I'm using a new device, but lots of websites
don't.

4\. Teach UI/UX designers about the dangers of designing user interfaces where
attacker controlled content isn't strongly visually separated from system
controlled content. In this era of personalisation and theming there's really
no reason why things like the Gmail attachment icon needs to be placed right
next to the content of an email with the same generic white background as
attacker controlled content. Give it a semi-transparent background and set
users up with a wallpaper-esque theme by default and it gets a lot harder to
put things in a message that look like UI widgets.

~~~
thomasahle
> 1\. Reform the browser address bar. Safari does this right. Chrome, IMHO
> shamefully, does not. ... The address bar should show the domain name only,
> or the EV identity when that's present,

Chrome on Android does this. And it's extremely annoying. Since mobile
browsers (and desktop browsers with tabs) usually don't show the title of
pages, the address bar is the only place to tell e.g. what Wikipedia page
you're currently reading.

You are probably correct, that it's a win for security, but I wish it could be
turned off.

~~~
mike_hearn
Wikipedia pages have the title at the top of the page.

In practice, the sort of users who complain about such things are in my
experience the sort who also have dozens of tabs open, which smushes the title
down to just a few characters. Heck even when there's space in the tab bar
Chrome won't allocate more than a few cm of space on screen to showing the
title. HTML titles are pretty much a dying thing anyway, so given the ongoing
pain caused by phishing I wouldn't hesitate to pull the plug on them.

~~~
thomasahle
On mobile, scrolling to the top of a Wikipedia page can be 20 screens or more.
After that it's a lot of working going back to where you were. Many news sites
are similar.

~~~
eridius
You could just pop open the tab view, so you can see the page title.

------
sly010
There is also a password alert chrome plugin by google [0].

If you ever enter your google password on any domain other than
accounts.google.com. It will immediately alert you and give you a link to
change your password. It can handle multiple passwords too if you have
multiple google accounts.

[0] [https://chrome.google.com/webstore/detail/password-
alert/noo...](https://chrome.google.com/webstore/detail/password-
alert/noondiphcddnnabmjcihcjfbhfklnnep)

~~~
SamBam
It sounds like the attackers got in almost instantly -- presumably they logged
in via script, not a human. Changing your password at that point would
probably be like closing the stable door after the horse has bolted.

Still useful, I guess, because it lets you know immediately what's up, so you
can send out emergency emails to your contacts.

~~~
sly010
The plugin actually alerts you the moment you press down the last key on your
keyboard, before you could even press enter, so you don't even get a chance to
submit the password.

But even if you assume at that moment the attacker has your password... I had
seen gmail takeovers live and Google's authentication system allows you to
recover an account even after it was taken over as long as you still have the
old methods of authentication and you are within an unspecified timeframe.

Of course you will have to spend the day cleaning up your email filters and
apologizing all your contacts, but at least you will have your account back.

------
blauditore
As a side note, it looks like this couldn't have happened with an external
mail reader like Thunderbird. Even when targeted to that and mocking some
other UI element, clicking the link would open a browser window and reveal the
fraud, at least to power users.

I'm not advocating against web-based mail readers, simply because it's not
always possible or practical to use external ones. But it seems security is
harder to implement because everything is "made of the same parts", i.e. a
web-based mail displayed in a web-based application, opening links in the same
(browser) window.

------
gushie
I'm surprised that with Google's image detection technology that Gmail doesn't
do image recognition on images with links where the image look like popular
document attachment, and send them to spam. Or perhaps they do but the
phishers are able to evade it.

~~~
jhardcastle
They aren't using popular attachments. They are using customized attachments
from the actual compromised sender. I commented elsewhere in the thread, but
once they gain your credentials, they will go into your account to get one of
your attachments, and then email a screenshot of that to your contacts, some
of whom may have already seen _that_ attachment.

~~~
pcl
Sure, but the chrome around the image is still "trusted attachment" chrome.

I get it that the browser ppl will say only their chrome is trusted, but when
someone is using your app, your app's internal ui affordances receive that
same level of trust in your users' minds.

------
rerx
Once I almost fell for an extremely well made Paypal-phishing mail. It was
late at night and I had just made a purchase via Paypal at a very small web
shop. The timing was so perfect to catch me off guard that I am certain that
site had been broken into to gather my email address.

------
ronnier
My rule for gmail... I type gmail.com then log in. That's the only path I take
to log in. I never click a link and log in, etc. really I do this for most
sites I use.

~~~
kinkrtyavimoodh
What do you do for "Sign in with your Google Account" situations?

~~~
qntty
I personally never sign in with a google (or any other) account, I always sign
up for new accounts with my email.

------
rovek
I'd be really interested to see the increased success rate. Even if the most
tech-savvy weren't fooled (I'm not so sure), I would be surprised not to see a
vast increase from your average misspelled ecommerce phishing email. Shame
those crooks don't practise open data.

------
jfoldager
That is very well done. I only see people suggesting 2-factor auth as a
remedy, but I guess any password manager would work as well. You wouldn't even
get to the point of compromising your password.

I use 1password, which will only fill in the password associated with the
current domain.

------
new299
I guess it's an aims race, but I would guess there are a few potential ways to
mitigate against this:

1\. Watermark all images on the in-email preview. 2\. You should be able to
design a mail scanner which would detect images that look too much like gmail
elements and flag them.

~~~
jpl56
Yes! They do it for banknotes (it's impossible to scan or xerox them). They
could do it in the same way for login pages!

------
zbuf
The problem here is monopoly, or mono culture.

The whole world is, basically, using one email client. The lack of diversity
means a well written scam like this spreads easily.

I can say for certain I'd never fall for this scam -- because it looks like
crap in Pine. I know I'm special, but the same applies to Thunderbird, or
whatever.

There's probably a parallel to biology here. Let's get diversity back in our
internet culture and with it resistance; scams like this will be harder to
convince and much less likely to spread. Hopefully removing some of the
incentive, too.

~~~
twostoned
I have been reading the comments wondering if this was a specific GMail
webmail thing. I'm guessing that using IMAP or POP3 through an email client
will make this harder? I'm by no means without risk but I rarely use the GMail
web-client so wasn't sure exactly what the scam was

------
camus2
> The problem doesn't get better until we destigmatize it.

Absolutely, it can happen to anyone. I'm sick of people here or on other
forums who do some victim blaming, calling phishing victims "idiots". It's not
going to solve the problem. And often Gmail or Chrome teams dismiss these kind
of issues.

I had to revert to the html version of Gmail because I was sick of all the
phishing attempts and disable images in the client.

------
jmbmxer
As a security professional, I'm wired to loathe shortened links. This is a
great example and exactly why I created a little hobby Chrome extension to
expand all shortened links for inspection -
[https://unshorten.link](https://unshorten.link)

------
_wdh
That's scary. Would having 2FA enabled on your Gmail account protect you from
this kind of attack?

~~~
mike-cardwell
Depends on the type of 2FA. If it's using U2F, then you'd be fine as that is
tied to the domain name of the site you're on, but if it's using TOTP/HOTP
(i.e. Google Authenticator), and the phishing site asked you for your 2FA
code, and you gave it, then you would still be successfully phished.

~~~
thomasahle
Is the difference here that TOTP/HOTP is entered by the user, while U2F is
entered automatically?

~~~
mike-cardwell
Yes. With U2F the recipient of the token is verified by a machine. With
TOTP/HOTP it is verified by the user looking at the browser address bar.

------
scardine
Almost fell for another clever one today:
[https://medium.com/@scardine/clever-phishing-scam-of-the-
day...](https://medium.com/@scardine/clever-phishing-scam-of-the-
day-225ac70f0c21#.1em2rcyd2)

~~~
eridius
What's the point of that one? Just hoping that the user selects the same
security questions and/or password as their google account?

------
martin-adams
I nearly fell for this attack if it weren't for my email address on the fake
Google login not being autofilled. That made then look at the URL, and my
ultrawide monitor revealed a cunning URL that had some white space padding to
hide the real URL.

------
greenspot
Always smiled at phishing scams but this scares the hell out of me, so I just
headed to Google to setup 2-factor authentication.

How is your experience?

I understood that I can register specific machines not to use 2-factor, so if
I loose my phone I still can login in. Anything else to consider?

~~~
martin-adams
You can create application specific passwords, but I don't know if you can log
in to the master account with those.

But you can generate backup codes that you can print out or store somewhere
safe for that emergency.

------
tantalor
I was about to ask why don't browsers prompt for confirmation when submitting
a password on an unfamiliar domain, but then I realized the fake login page
would just use a normal text field instead of a password field and fake the
password dots.

------
tehabe
I wonder if the usage of plain-text mails would reduce phishing or increase
it?

~~~
mike-cardwell
You mean, if the phishers sent text email instead of html email, would they be
less successful? Probably. So why would they?

Are you suggesting that all email/webmail clients stop rendering HTML?

~~~
tehabe
I'm suggesting that companies like Google should have a plain-text option.

Long term goal is be to get rid of HTML, at least in my utopian mind as in it
will never happening in reality.

------
swalsh
I think it's time for Google to implement the personalized icon thing Banks
have when logging in. I definitely classify my email to be near as important
security wise as my banking information.

------
lenkite
IMHO javascript should _never_ have been allowed in the address bar or even
inline in an href. The first time I learned about this feature of a browser, I
was thinking 'security defect'.

~~~
roywiggins
It's not Javascript, it's a data URI that renders an HTML page.

~~~
_nalply
which contains JavaScript

------
mikeash
This is a lesser-known benefit of password managers that autofill (or at least
auto-look-up) passwords in web pages. I might fail to notice a wonky address
bar, but 1Password will notice.

~~~
espadrine
1Password is great, but it solves a problem that we should get rid of.

It converts the n-websites-n-passwords situation into one where passwords
become random tokens unlocked by a single client-side secret.

We need to make U2F more widespread.

------
phkahler
Why would you need to sign in if you're already in your gmail? Not to say
there's anything obviously wrong, one could easily go there.

It does point out a major problem. Email used to be text only. Then we added
attachments that needed to be saved as a file and read with whatever app. Then
we went to automatically displaying attached images and having live HTML
links. All of these things we do for convenience make this sort of attack more
possible.

~~~
TeMPOraL
> _Why would you need to sign in if you 're already in your gmail? Not to say
> there's anything obviously wrong, one could easily go there._

I can't tell you _why_ , but I'm pretty sure it happens - I have a
recollection of having to reauthenticate every few weeks or so when opening a
Google Drive attachment from my Inbox window. So I would not be surprised if I
saw a login screen after clicking on such an "attachment".

------
suprjami
The closest I ever came was a Nigerian scam where a crown prince had been one
of the first people on a space station in the 90s, but his return seat was
taken up by cargo when they decommissioned the satellite, so they just left
him in orbit.

After 15 years alone in space he was "in good spirits" but wanted to come home
and would share his overtime flight pay of $15M with me.

Seriously where do they find these stories.

------
greggman
I actually did get phished by this. I think I just got lucky I had 2fa on and
they didn't phish that too

[http://blog.greggman.com/blog/getting-
phished/](http://blog.greggman.com/blog/getting-phished/)

The worst thing is I don't know how to help my less technical friends not fall
for it. They are unlikely to use 2fa I think

------
sundvor
Hm, a give-away would be that the image would most likely not be interactive
like it is now for me (Chromium). I.e. a PDF attachment footer "icon" renders
the preview, and then action buttons when hovering the mouse over it. The
buttons are then changed to darker colours with alt text when hovering over
them again.

Or did they manage to embed the JS to simulate these actions with the attack?

------
Dangeranger
Use 2-Factor Auth. If you are a sysadmin make it required. Block image
downloads by default. Turn on log in notifications for unknown devices. If you
are a sysadmin in a controlled network and serve content via proxy block
bit.ly. This is a clever and dangerous attack, but can still be avoided by
following the above.

~~~
chinathrow
The 2FA token is valid for up to 1 minute and the attacker could easily ask
for it as well...

There were no image downloads, it was embedded within the message itself.

~~~
Dangeranger
Ok that's valid. Other than blocking bit.ly and other commercial link sharing
services this seems to be a human hacking problem. It's hard to get people to
be careful about checking the URL on a login page.

------
elchief
A reminder that U2F essentially prevents phishing attacks:

[http://security.stackexchange.com/questions/71316/how-
secure...](http://security.stackexchange.com/questions/71316/how-secure-are-
the-fido-u2f-tokens)

------
jsz
I've seen this before and nearly fell for it myself. If I didn't have auto
fill for google account logins I would definitely fall for this. I noticed
immediately when it made me type in my email and password and had no records
of my other accounts.

------
bitskits
Some further reading on the subject by lcamtuf (from 2011):
[https://lcamtuf.blogspot.com/2011/12/old-
switcharoo.html](https://lcamtuf.blogspot.com/2011/12/old-switcharoo.html)

------
CGamesPlay
One of my users was hit by this recently. Another interesting tactic they used
was a redirect to the fradulent login page. This way, as soon as it was
reported as phishing to google, they just incremented a number in the URL and
could continue harvesting.

------
andygambles
The aim of EV certificates is to reduce such risks and highlight to the user
the legitimacy of such websites.

HTTPS alone only provides encryption. Google doesn't use EV anywhere but I
feel it should on login pages especially given it is a high phishing target.

~~~
bad_user
EV certificates don't work. You're relying on the user to spot a change in the
address bar, which is no different than relying on the user to notice that the
domain is not "gmail.com".

HTTPS is meant for preventing MITM attacks, but it isn't meant to validate the
identity of the entity you're speaking to; even though some people try doing
that, it's just a game of pretend.

~~~
MrManatee
I totally agree that EV certificates don't work. I know the difference between
EV and DV, but I'm glad I don't have to rely on that knowledge very much. I
don't trust myself that I would notice if an EV site would suddenly have a
slightly different looking DV-style lock icon. I don't even trust myself to
remember which sites use EV in the first place.

As many other commenters here, I mostly rely on password autocompletion. If
autocompletion doesn't recognize the site, then I'm extra careful. The point
is that this is rare enough so that it is actually feasible for me to be
careful on those occasions.

------
wnevets
If google still disabled images by default this would of been defeated

------
safe001
how about use 3-step auth?

1\. you input your username

    
    
       google send back an msg/pic which you saved in google at last login
    
       confirm then goes to step 2
    
    

2\. you input password

3\. google ask you input auth code

~~~
btown
So then they use a botnet to input your username on google.com to get your
image, then stream it to you.

------
shadowlord
Correct me if I'm wrong, but that embedded image (pretending to be an
attachment) redirects you to a (fake) Gmail login page. How is that supposed
to trick anyone? I mean, isn't it unusual (i.e. never happens) for attachments
to take you to a Gmail login page? So that's suspicious behaviour right there.
How is it a serious phishing attack that's getting so much attention on a
platform like HN where people are used to much more sophisticated hacks?
Unless you're implying that visiting that website (fake login page) itself
could harm the user's device, is there some detail that I'm missing here?

~~~
et-al
Part of why we're impressed (and dismayed) is that they use a data URL to look
like "accounts.google.com" and to load a remote script out of sight to the
right of all the spaces. Maybe the URL protocol didn't fool you, but I think
there are a good number of users out there who have been "trained" to check
the URL to see that it says "accounts.google.com" and think it's fine.

And while clicking on an attachment shouldn't sign out a user, being
automatically signed out has happened enough to most people that it seems like
a fairly innocuous event, especially since this is _supposed_ to be an
attachment, not a link, and you just need to sign back in. So one does.

~~~
shadowlord
Yes, getting automatically signed out is a normal thing. And of course, the
user wouldn't suspect that it was the attachment that caused that. So yes, I
see it now how this is a legitimate concern.

------
Neil44
One of my clients got hit with this yesterday. Google suspended the account
but only after a round of emails had gone out.

Seems like at this point the perps are just harvesting credentials.

------
wopwopwop
This guy has an interesting YouTube channel

[https://www.youtube.com/user/enyay](https://www.youtube.com/user/enyay)

------
jim-jim-jim
I started using mutt to avoid image tracking, but dodging clever stuff like
this is an added bonus.

I probably would have fallen for this.

------
cdubzzz
Just addressing this attack in particular, is there any legitimate reason to
have consecutive white spaces in a URL bar?

~~~
contravariant
If you accept that someone is allowed to embed text documents into a URL then
you also need to either allow people to link to text documents containing
large runs of white space, or introduce some very weird restrictions to the
kind of documents that can be embedded that way.

------
codedokode
This could be prevented by using physical keys instead of passwords. People
are weak in deciphering URL bar contents.

------
rocqua
Cool to see Tom Scott on hackernews.

------
lanius
Wow. Imagine if they had just used a few hundred extra spaces.

------
ravenstine
This is why I disable images by default in my email client.

------
mxuribe
Pretty. Damned. Clever. ...And, scary too.

------
whyagaindavid
Serious question. Does having a chromebook anyway help? How often is the
google safe browsing checked?

Wondering if I should do all internet activities inside chromebook only.

~~~
witty_username
A Chromebook won't help anymore than Chrome for phishing.

------
yread
To save the click:

Follow

Tom Scott (‏@tomscott):

This is the closest I've ever come to falling for a Gmail phishing attack. If
it hadn't been for my high-DPI screen making the image fuzzy…
[https://pbs.twimg.com/media/C0W-dCCWQAAl0cn.jpg](https://pbs.twimg.com/media/C0W-dCCWQAAl0cn.jpg)

~~~
junto
Thanks for posting the image. Twitter's mobile site does not allow you to zoom
the image. Very annoying how mobile sites do that.

~~~
JorgeGT
The most important image IMHO is the following, be sure to check it:
[https://pbs.twimg.com/media/C0XB_c8WIAAtEF8.jpg:large](https://pbs.twimg.com/media/C0XB_c8WIAAtEF8.jpg:large)

------
retube
Twitter blocked in my location. Is there a mirror?

Edit: thanks all for help below. Yes very cunning.

~~~
lovich
I don't know of a mirror but the email had an embedded image that looked like
a pdf attachment in gmail. The embedded image led to a fake google sign in
page when clicked

------
witty_username
To stop being phished always check the domain name and for HTTPS before
entering passwords.

~~~
mderazon
Don't trust HTTPS, any malicious site can get certificate very easily. I once
almost fell for a smart Airbnb phishing attack. At some point, I was directed
to
[https://www.airbnb.com.eubook.net/en/instant/rooms/2685603?c...](https://www.airbnb.com.eubook.net/en/instant/rooms/2685603?checkin=08%2F26%2F2016&checkout=08%2F31%2F2016&currency=€&guests=10)
to complete my booking. Website had perfectly valid SSL cert (doesn't anymore)
and more importantly, check out the domain name ! Almost missed the
.eubook.net part!

~~~
JorgeGT
HTTPS only means "you are securely accessing this particular domain" not "the
operators of this domain are nice people".

------
pvdebbe
Luckily I always pay attention to the URL and I consider myself being pretty
safe from all sorts of phishing attacks. There have been quite a few clever
ones.

