Saw this on http://www.ameborcam.com/site/blog/blogdetail?id=906
Here is what you need to know in order to stay safe from a new, sophisticated phishing attack.

Hackers have launched a new phishing attack that is tricking even tech-savvy users. Here is what you need to know in order to protect yourself:

Here is how the attack works: Hackers who have breached someone's email account look through the emails in it for correspondence containing attachments. They then send emails from the compromised account -- impersonating the account's owner -- with each email leveraging similarities to prior correspondence, so as to make the new messages seem legitimate and familiar. For example, the phishing emails may use a subject line that was used in the past.

The hackers embed an image of an attachment used in the past into each phishing email, but configure the image to open not the attachment but, rather, a phishing page that looks like a Google login. Because the user is opening a Gmail attachment, the presentation of a phony Gmail login page does not seem alarming -- especially when the person opening the attachment feels that he or she has been viewing a "safe and familiar" correspondence. Of course, once the new victim enters credentials into the phony Google login page the criminals utilize them to access their victim's account. The attack has likely been going on for about a year with increasing intensity.

HOW CAN YOU STAY SAFE?

1. Always think twice before entering login credentials -- ask yourself why you are being asked for them. If you are already reading Gmail, why all of a sudden are you being asked for your Gmail credentials?

2. Do not log in to sites via log-in pages generated by clicking links. For any site on which you will enter sensitive information, always reach it by entering its URL into the Web browser.

§ To get the attachment to open a phony Google login page, hackers use a data:text URL -- beginning something like "data:text/html,https://accounts.google.com/." While that may appear to be related to Google, any URL that starts data:text is not a link to a website but rather content to be displayed locally. Never enter passwords or other sensitive information into any webpage with a data:text URL.

§ Enable multi-factor authentication. If somehow you fall prey to a Gmail phsihing attack and give criminals your log-in name and password, multi-factor authentication will continue to protect your account. Without access to your phone, for example, criminals would be unlikely to be able to access your email even if they know your password.

§ Businesses worried about similar types of attacks should consider deploying anti-phishing technology. Green Armor's Identity Cues (which I co-invented), for example, helps ensure that a real login page looks different for every user and can only be generated by legitimate web servers; technology of that sort would make it obvious to users - consciously or subconsciously - that the bogus login page is illegitimate.

§ Do not rely on warnings by web browsers: The red warning used on insecure web pages, the certificate warnings used for invalid certificates, and the "unsafe site" may not appear for data:text URLs. (Web browser companies should change this - any data URL should display a warning.)

Source;http://www.ameborcam.com/site/blog/blogdetail?id=906