A phishing scam targeting Gmail users is running riot by using emails that appear to come from contacts of the person targeted.

The scam, which was first spotted last year but has gathered steam in the last few weeks, involves the attacker sending an email to a Gmail account with the address of a known contact who has had their account hacked using the technique.

According to Wordfence Security, the email may also include something that looks like an image of an attachment the targeted person would recognize as being from the sender. Once a user clicks on the image to preview it, a new tab opens in the browser with a prompt to enter Gmail account details again.

That may seem like a stock-standard phishing attempt so far, but what makes this attack different is that users see the address accounts.google.com in their URL bar. Once the targeted victim enters their details, the account is compromised.

According to a commenter on Hacker News once through the door, the hackers immediately set to work to propagate the scam further using data from past email interactions.

“The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.

For example, they went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.”

The good news is that it is possible to detect the scam. “The best way to identify this attack is to look at the address bar,” Norton Senior Security Response Manager Satnam Narang told Refinery29. “In this case, look for the words ‘data:/text/html’ at the beginning of the URL. If you see this, close the browser tab and alert your friend that their account has been compromised.”

Image credit: 28288673@N07/Flickr/CC by 2.0