The following excerpts were pulled from an article posted on TechRepublic
It all starts in a Gmail account that has already been compromised. Reports say that perpetrators are accessing hacked accounts immediately and sending phishing messages to other Gmail addresses in the hacked accounts contacts list.
An email lands in the target inbox from the hacked address, and here’s where it gets tricky: The phishing email uses a legitimate subject line, text, and attachments from emails already sent by that account, making it look completely legitimate.
The phishing email comes with an “attachment” that is actually a screenshot of an attachment sent by that account in the past, like a spreadsheet or a PDF, for example. The trick is that the fake attachment screenshot is an embedded image with a link in it that takes the victim to what looks like a Google login page.
Thinking they need to re-authorize their account to view the attachment the user logs in, and their account is now in the hands of hackers. The cycle starts all over again—just one compromised account has the potential to affect dozens more.
Normally, if you hover over a link, you can see the URL where the link will take you. See this blog post on how to set Safari so you can preview a link’s URL.
In this particularly tricky Gmail Phishing Attack, the URL of the fake login page looks real: It even contains the accounts.google.com domain. There’s just one exception, and it’s the key to avoiding it: The URL is preceded by “data:text/html.”