Google announced this news on Jan. 25 through its G-Suit Updates blog.
“Gmail currently restricts certain file attachments (e.g. .exe, .msc, and .bat) for security reasons, and starting on February 13, 2017, we will not allow .js file attachments as well.” stated the blog.
For the uninitiated, Gmail already blocks standard windows executable files (.exe), batch files (.bat) and Microsoft Management console file (.msc).
To maintain the security of its services, it seems Google will now block .js file attachments, as malicious e-mails often attach various rigged file attachments in these formats to trick users into giving up their credentials.
Opening an unknown .js file starts the Windows Script Host, which runs inside the file. Running the Windows Script Host can prove to be very dangerous for the user as it can easily run Windows executables.
Google has said that an “in-product” warning will appear if someone tries to attach a .js file attachment in the mail after Feb. 13.
Gmail Phishing Scam
For the unfamiliar, Gmail users fell victim to a widespread phishing scam last week, which fooled them to give into giving up Google credentials.
The hackers used the compromised mail accounts to go through the sent folder and pass on the malware to other unsuspecting Gmail users. The best part about the trick is that the malicious mail came from the account of a known person, whose account had already been hacked.
The malware was disguised in the form of a PDF or image. On clicking on a preview, a new tab would open up for the user, asking him or her to log into their Gmail accounts again. The location bar would display the address as “accounts.google.com”, see which most users know they have arrived at the authentic Gmail login page. What they missed was the small bug hidden in the form of a data file “data: text/HTML” which is attached in front of the hostname.
The hackers behind this scam were able to block the user from using any other services linked to Google accounts.
Why The Measure?
Google has not provided the public with a detailed explanation other than saying that this step was taken for “security reasons.”
Whether this step was taken as a security measure because of the recent phishing scam is not clear and is merely an assumption.