John Podesta recently fell victim to a phishing attack and even had confirmation from his IT staff that his Gmail account was in fact hacked and that he needed to change his password immediately. They now say it was a typo, but the reality is that phishing attacks can fool even the most experienced technical users.

The Attack

The popular WordPress security plugin Wordfence recently put out a great article about the technical aspects of the attack and how it is fooling users at all experience levels. This attack targets Gmail users specifically and uses image attachments and subject lines from trusted email addresses you already recognize that may have been compromised using the same technique.

What you can do to prevent these types of attacks

As a matter of habit, you should always check the address bar especially when singing into anything to make sure it is in fact a legitimate site. In this case, the url does contain the URL ‘accounts.google.com’, but a closer look reveals additional code.

From the WordFence article:

This phishing technique uses something called a ‘data URI’ to include a complete file in the browser location bar. When you glance up at the browser location bar and see ‘data:text/html…..’ that is actually a very long string of text. If you widen out the location bar it looks like this:

There is a lot of whitespace which I have removed. But on the far right you can see the beginning of what is a very large chunk of text. This is actually a file that opens in a new tab and creates a completely functional fake Gmail login page which sends your credentials to the attacker.

As you can see on the far left of the browser location bar, instead of ‘https’ you have ‘data:text/html,’ followed by the usual ‘https://accounts.google.com….’. If you aren’t paying close attention you will ignore the ‘data:text/html’ preamble and assume the URL is safe.

Tom Scott recently tweeted about this same attack that he recieved in his email:

From the WordFence article:

When you sign in to any service, check the browser location bar and verify the protocol, then verify the hostname. It should look like this in Chrome when signing into Gmail or Google:

Make sure there is nothing before the hostname ‘accounts.google.com’ other than ‘https://’ and the lock symbol. You should also take special note of the green color and lock symbol that appears on the left. If you can’t verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page.

Enable two factor authentication if it is available on every service that you use. GMail calls this “2- step verification” and you can find out how to enable it on this page.

Enabling two factor authentication makes it much more difficult for an attacker to sign into a service that you use, even if they manage to steal your password using this technique. I would like to note that there is some discussion that indicates even two factor authentication may not protect against this attack. However I have not seen a proof of concept, so I can not confirm this.

How will I know if my account is already hacked?

There is no sure way to know if your account has been hacked. When in doubt, change your password. This is a good practice in general anyway, but will rule out the possibility that someone has access to your account.

In addition, you can check your account activity and see if there has been any suspicious activity: https://support.google.com/mail/answer/45938?hl=en

Recently, a major XSS (Cross Site Scripting) vulnerability was discovered and fixed by the WordPress team.

Cross Site Scripting is a common website vulnerability that effects web forms, search boxes and any place a user can submit content to a website database.

For example: Imagine a website that has a guestbook feature allowing users to submit their name and a message thorough a web form. This information is submitted through the form and processed by the server which inserts the information into the database. Because a web server processes all of the text that is sent to it, code can also be passed via the web form to the server. In this case, JavaScript.

The web server does not know the difference between a nice message from someone who really loves your website, or malicious code that a hacker is trying to inject into your website. In our example, we are simply inserting some JavaScript code that opens a pop-up box with some text.

This example may seem mundane, but the implications here are not to be taken lightly. It’s like leaving the door to your web server open to the entire world. In this scenario, a user is able to execute JavaScript code right on your website. Normally this would require developer access to the web server to do this, but the vulnerability makes it possible for anyone to run code your website. All it takes is someone who is talented enough at JavaScript to some along and inject code that allows them to gain access to the whole site.

If you are using WordPress already, you are in good shape. However, you could still be vulnerable to this kind of attack if your site makes use of plugins for any of its features. This makes it critical to have regular updates and maintenance to the WordPress framework and site plugins to ensure compatibility and security.