We've been watching the quantity of scam emails increase massively over the past year or two and watching the quality of these scams improve too. The combination of both a higher quantity and more convincing deluge of scam emails, means more people than ever are having accounts compromised, accidentally downloading viruses and having data held hostage.

A scam we’ve seen a lot of appears to prey on the way that Gmail displays attachments, you’ve probably seen it if you use Google Apps or Gmail, the file preview with the download and Google Drive buttons. Above is how 2 genuine attachments look, we see a small dotted line with a heading noting the number of attachments and two buttons on the right to either download all the files or send them to Drive, the attachments and their previews sit underneath.

Now, spot the difference, here's an email from a frequent contact, it looks as genuine as can be since it’s from the contact (they’ve had their account compromised, probably by this very same attack), it’s got their footer, I’ve got a little image of them, I’ll just open the attachment since it looks like a genuine Gmail attachment preview…

Upon clicking the preview we’re taken to a shortened URL that then redirects to a shortened URL that then redirects to a very clever use of the ‘data:text/html’ scheme that almost makes it look as if you are on ‘’ if you missed the schema part (or didn’t have the understanding of what the data:text/html part meant).

Notice that I’ve highlighted some spaces after the end of the supposed URL, if we follow the spaces we end up at a script tag that utilises base64 encoding to obfuscate its contents. If we decode the scripts contents we end up with a packed script, finally if we unpack the script we see what's happening.

A small script attached a iFrame to the page that points at an external site that replicates the look/feel of the Google login page perfectly.
This login form unfortunately doesn’t log you into Gmail, it sends the captured details off to a PHP script to be recorded in a database. Once in the database the same attack is repeated on the captured user's contacts.

This attack preys on two key points:

  • The fake ‘Gmail attachment’ looks very similar to a real one, most users would simply click on this without thinking since generally Gmail does a great job of filtering out viruses
  • The data:text/html trick makes the URL look convincing at first glance + for users who don’t have the technical knowledge to know what it means they may believe the URL is genuine

The first point could be addressed by Gmail implementing a filter to catch these kind of emails, but that would require analysing attached images to see if they are extremely similar to an attachment box and would probably create all kinds of false positives.
The second isn’t something that can be easily fixed since it’s a core feature of any modern web browser - Perhaps warning the user about opening data:text/html URLs that contain script tags could be a way around this.

To help protect yourself from this kind of attack you need to make sure that attachments are genuine and not just an image wrapped in a link to an external site. They should be clearly separated from the email content (not within the email content). Genuine attachments in Gmail will nearly always have a preview and the buttons should have a hover effect as you move your mouse over them.

If you ever accidentally click one of these fake attachments it can be hard to realise you are not on the real Gmail site, check the following to ensure you're actually on Gmail:

Failing that, if you realise that the login form you’ve just filled in wasn’t genuine, it's important you act quickly before the attacker changes your password and potentially locks you out of your account. You can change your password by going to

Password breaches can be protected against by utilising 2-Step Verification (Google's 2-Factor Authentication) feature. The 2-Step Verification feature works by verifying login attempts via a text to your mobile phone, meaning any attacker would need both your password and would have to be holding your mobile phone in their hands to be able to login to your account.