+

Cookies on the Business Insider India website

Business Insider India has updated its Privacy and Cookie policy. We use cookies to ensure that we give you the better experience on our website. If you continue without changing your settings, we\'ll assume that you are happy to receive all cookies on the Business Insider India website. However, you can change your cookie setting at any time by clicking on our Cookie Policy at any time. You can also see our Privacy Policy.

Close
HomeQuizzoneWhatsappShare Flash Reads
 

Hackers are using a devilishly clever fake email attachment scam to break into people's accounts

Jan 17, 2017, 16:07 IST

Advertisement
A masked participant poses in St.Mark's Square during the Carnival on February 10, 2007 in Venice, Italy. The Carnival traditionally celebrates the passing of winter, with parties, costumes and balls, in the run-up to the Christian observation of Lent.Marco Di Lauro/Getty Images

Has a trusted contact recently emailed you a PDF file to open? Watch out - it might not be what it seems.

A new email scam is circulating that aims to trick the user into giving up their email login details by sending over a (fake) link to a PDF to open.

And making it all the more plausible, the scam email is sent from compromised accounts and uses subject lines and file names that the target is likely to click on.

The phishing account was detailed in a recent blog post by WordFence, a WordPress security firm.

Here's how it works:

Advertisement

  • The attacker, using a compromised email account, sends emails to that first victim's contacts.
  • The email contains what appears to be a link to an attachment (often a PDF) hosted on Google Drive.
  • This lowers the target's defences, because they can - in theory - view documents on Google Drive without having to download anything.
  • If the would-be victim clicks the link, they'll be directed to a page masquerading as the Google login page.
  • They enter their login details when prompted - and just like that, the hacker has access to their account!
  • The attacker then starts the process all over again, targeting the most recent victim's contacts.

But here's the really clever bit - the email isn't just some generic template. It often actually borrows the subject line and (fake) file name from previous correspondence with the person being targeted, making it seem super plausible.

A commenter on news discussion site Hacker News wrote about his experience of the attack working at a school: "They went into one student's account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team."

The school was "hit by this hard right before the holiday break," they wrote. "Three employees and a handful of students all got hit by the attack within a two hour period. It's the most sophisticated attack I've seen."

Here's how it looks:

WordFence wrote about the attack recently, but it has been going around for a while. A blog post on Gregmann.com in 2016 details how the author fell for it after he was emailed with a believable subject line by someone he had met a year prior.

Advertisement

Letters from around the world are stored at the Santa Claus' Post Office in the Arctic Circle near Rovaniemi, Finland.REUTERS/Pawel Kopczynski

"Only after it failed and didn't ask for my 2 factor authentication I realized I had just been phished. I immediately changed my Google password. Fortunately my google password is not used on any of my other accounts," he wrote. "It's so scary that it was so easy to fool me. I'd guess most non-techies would fall for this too and most non-techies don't have 2 factor on so they'd have been owned immediately."

Luckily, there's ways you can protect yourself against this. Security experts recommend you use a different, strong password for every account you have - meaning if your password on one site is compromised, all your other accounts aren't at risk as well. (There are password manager apps that you can use to store passwords if necessary.)

And you should enable two-factor authentication whenever possible, which means even if your password is compromised hackers can't get into to your account without access to your phone as well.

On a long enough timeline, everyone gets hacked. But if you're smart about it, you can limit the damage.

NOW WATCH: Here's the gorgeous trailer for 'Super Mario Odyssey' - the first Mario game for Nintendo Switch

Please enable Javascript to watch this video
You are subscribed to notifications!
Looks like you've blocked notifications!
Next Article