The Standard Group Plc is a multi-media organization with investments in media
platforms spanning newspaper print
operations, television, radio broadcasting, digital and online services. The
Standard Group is recognized as a
leading multi-media house in Kenya with a key influence in matters of national and
international interest.
Millions of Gmail users could be at risk from one of the most sophisticated phishing scams ever seen.
The scam tricks users into giving their Google login details and is considered so advanced it has even fooled IT experts.
The fake email can come from contacts in the recipient's own address book and uses image attachments that look like a PDF file.
When you click on the attachment, you are directed to phishing pages, disguised as the Google sign-in page.
The user is then asked to enter their details allowing the attacker to sift through their messages.
A further concern is that the phishing pages do not appear to trigger Google's HTTPS security warnings.
The scam was discovered by Mark Maunder, CEO of Wordfence, for WordPress, who admitted it was even fooling "experienced technical users."
Writing on Wordfence, Mr Maunder said: "Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot.
"Now that they control your email address, they could also compromise a wide variety of other services that you use by using the password reset mechanism including other email accounts, any SaaS services you use and much more."
An IT teacher also explained on Hacker News how the scam had affected their school system.
He wrote: "We got hit by this hard right before the holiday break.
"Three employees and a handful of students all got hit by the attack within a two hour period.
"It's the most sophisticated attack I've seen.
"The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.
"For example, they went into one student's account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.
"They were using bit.ly to obscure the address (in Russia). We had to take our whole mail system down for a few hours while we cleaned it up.
How to avoid phishing attacks
Enable a two-factor authentication, and keep a look out for the prefix 'data:text/html' in the browser location bar – a sign of a fake web page. If you get an email from a site asking for personal information don’t click any links or provide personal information until you've confirmed it's safe When you get an email that looks suspicious check the address and the sender name match Check if the email is authenticated Hover over any links before you click on them - if the URL of the link doesn't match the description of the link, it might be leading you to a phishing site. Check the message headers to make sure the "from" header isn't showing an incorrect name.
