Google has countered a “highly effective” phishing scam that in recent months impacted users of its Gmail email service.
Scammers had been trickingpeople into divulging their passwords by directing them to lookalike login pages that tripped no alarms in the victim’s web browser. Security researchers at WordFence, a company that makes security tools for WordPress sites, last month warned that the phishing effort was “having a wide impact, even on experienced technical users.”
No longer. Google has responded to the problem with an update to its Chrome browser. In the new version, released earlier this month, the browser’s address bar warns people when they have been served a page that uses the phishing trick.
Get Data Sheet, Fortune’s technology newsletter.
While the browser previously indicated nothing suspicious about the sham account sign-ins, the revamped version now displays “not secure” in such instances. (It is still incumbent upon the Gmail user to heed that warning, of course.)
Scammers had been sending people fraudulent email messages from the compromised accounts of known contacts. Inside, the notes included embedded images designed to look like PDF attachments that, when clicked, opened bogus Gmail login pages.
https://twitter.com/tomscott/status/812265182646927361
On the fake login pages, everything would look perfectly normal, except for a bit of unusual text, “data:text/html,” preceding the usual “https://.”
The scammers had been exploiting a distinction between a URL and the less common “data URI.” The former, more familiarly known as a web address, points to a page’s location on the web, accesses it, and lets people interact with it; a “data URI,” on the other hand, embeds a file.
In this case, the data URI ran a hidden program the served up phishing pages. Because Google Chrome failed to flag these pages as potentially dangerous, many people did not realize the hazard of entering their username and passwords—which the attackers would promptly nab, and then use to hijack more accounts.
Emily Schechter, a security product manager for Google Chrome, acknowledged the phishing scheme in a statement provided to Fortune on Monday. In it, she explained the company’s fix and hinted at stronger countermeasures to come.
The address bar in Chrome and other browsers helps users to determine a page’s identity. If the address, the URL, corresponds accurately to the page content, users feel confident they’re in the right place. Scammers might take advantage of that trust, and display pages that look like familiar sites, but have slightly different URLs. Sometimes these addresses start with “data:”; this was the case in the scam we saw recently. “Data:” addresses have some legitimate use cases, but in this case were used to purposely confuse users. Now, Chrome shows a “Not secure” label next to addresses that begin with “data:”, and we’ll be taking further action in upcoming versions of Chrome.
Alluding to that “further action,” a Google spokesperson said that Google has plans to prevent redirections to “data” sites entirely in future versions of the browser, “so the action will be even more aggressive fairly soon.”
For now, Chrome’s in-browser warning reads “not secure” alongside a gray circle, as pictured below. (Eventually, the company plans to place a more flamboyant red triangle in the browser bar for all sites not fully protected by “https.”)
Mark Maunder, CEO of WordFence and who first raised the phishing scam to Fortune’s attention in a blog post last month, said he was satisfied with Google’s remedy. “Chrome has resolved this issue to my satisfaction,” he wrote Friday in an update.
In sum: make sure, if you use Chrome, that your browser is up to date. Steer clear of “not secure” web pages (in addition to ones not protected by “https”) when entering credentials. And always triple check to make sure you’re transacting with the intended website before entering a password.
