{"id":286788,"date":"2017-01-21T13:26:41","date_gmt":"2017-01-21T19:26:41","guid":{"rendered":"http:\/\/itblog.lcisd.net\/?p=286788"},"modified":"2017-01-21T13:26:41","modified_gmt":"2017-01-21T19:26:41","slug":"update-wide-impact-highly-effective-gmail-phishing-technique-being-exploited-2","status":"publish","type":"post","link":"https:\/\/itblog.lcisd.net\/?p=286788","title":{"rendered":"**Update** Wide Impact: Highly Effective Gmail Phishing Technique Being Exploited"},"content":{"rendered":"<p>Mark Maunder \u2013 Wordfence Founder\/CEO \u2013 <a href=\"https:\/\/twitter.com\/mmaunder\" target=\"_blank\">@mmaunder<\/a><\/p>\n<h1>Update: Official Statement from Google<\/h1>\n<p>This is an update at 11:30pm PST on Tuesday the 17th of January 2017. I was contacted by Aaron Stein from Google Communications. He has provided the following official statement from Google:<\/p>\n<p>\u201c<em>We\u2019re aware of this issue and continue to strengthen our defenses against it. We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.<\/em>\u201d<\/p>\n<p><strong>I asked Aaron two follow-up questions:<\/strong><\/p>\n<p>\u201c<em>Chrome 56 will include the text \u201cNot secure\u201d in the location bar on non-SSL websites where a page contains a password field or credit card input field. This is a fine example of a visual indication in the location bar that helps secure users. Are the Chrome dev team considering some visual indication in the browser location bar for data URI\u2019s? That would help defeat this attack because, currently, there is no visual indication of anything awry when viewing a phishing data URI. It\u2019s worth noting that the safe browsing system is currently unable to detect malicious data URI\u2019s because it is currently geared for traditional hostname-path URL\u2019s.<\/em><\/p>\n<p><em>Second question: Emails that contain malicious data URI\u2019s are the attack vector in this case. Are the GMail team considering any additional filtering or alerting related to data URI\u2019s as attachments in the GMail web application?<\/em><\/p>\n<p><em>I think any guidance you can provide on the above two questions will go a long way to put Chrome and GMail user\u2019s minds at ease.<\/em>\u201d<\/p>\n<p><strong>He responded with:<\/strong><\/p>\n<p>\u201c<em>I can\u2019t speak to things that aren\u2019t out yet, but *please* watch this space. Should have more to share soon<\/em>\u201d<\/p>\n<p><strong>My thoughts on this response:<\/strong><\/p>\n<p>I think this is a perfectly acceptable response from Google. To be clear, there are several\u00a0teams within the Google organization that this affects:<\/p>\n<p>The Google Chrome browser team will be the ones who would implement any change in the location bar behavior when viewing a phishing data URI. The GMail team would implement filtering and alerting within the GMail application with a data URI attachment is received with other associated phishing markers. The Google Safe Browsing team may add support for malicious data URI\u2019s in the GSB API and make that available to the Chrome browser team.<\/p>\n<p>There may be other parts of the Google organization that touches including operations.<\/p>\n<p>Asking Aaron to provide early guidance on how Google will mitigate this when it affects so many teams was a big ask, but I would be remiss if I didn\u2019t hit him with a couple of follow-up questions. The good news is that Google is aware of the issue and we have an official statement that indicates there will be something forthcoming in future releases of Chrome, GMail and possibly other products that can help mitigate this.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mark Maunder \u2013 Wordfence Founder\/CEO \u2013 @mmaunder Update: Official Statement from Google This is an update at 11:30pm PST on Tuesday the 17th of January 2017. I was contacted by Aaron Stein from Google Communications. He has provided the following<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33,20,13,6,37],"tags":[],"class_list":["post-286788","post","type-post","status-publish","format-standard","hentry","category-browsers","category-cloud","category-email","category-security","category-social-networking"],"_links":{"self":[{"href":"https:\/\/itblog.lcisd.net\/index.php?rest_route=\/wp\/v2\/posts\/286788","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itblog.lcisd.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itblog.lcisd.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itblog.lcisd.net\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/itblog.lcisd.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=286788"}],"version-history":[{"count":1,"href":"https:\/\/itblog.lcisd.net\/index.php?rest_route=\/wp\/v2\/posts\/286788\/revisions"}],"predecessor-version":[{"id":286789,"href":"https:\/\/itblog.lcisd.net\/index.php?rest_route=\/wp\/v2\/posts\/286788\/revisions\/286789"}],"wp:attachment":[{"href":"https:\/\/itblog.lcisd.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=286788"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itblog.lcisd.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=286788"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itblog.lcisd.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=286788"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}