Beware of this costly Gmail recovery prompt hack attack.
Update, Dec. 28, 2024: This story, originally published Dec. 27 now includes more information regarding Gmail and other email-based credential compromise attacks and why Google’s Advanced Protection Program is the mitigation you need.
The evolution of hack attacks shows no sign of slowing down, and this appears to be particularly true when it comes to the silver bullet threat combination of phishing and Gmail account compromise. The trouble is, even the most careful of Gmail users are falling victim as has been demonstrated in one recent case where the victim did everything right, or so they thought. Here’s what you need to know about this critical Gmail hack attack warning that could cost you dearly if you ignore it.
The Evolution Of Gmail Hack Attacks Continues At Pace
No matter how switched on to security threats, how aware of the methods used in phishing attacks, how secure you feel in the current threat landscape, I assure you that there are hackers, fraudsters and cybercriminals out there who can and will prove you wrong. An experienced security consultant recently discovered this himself after coming dangerously close to falling victim to what has been described in a viral posting as a “super realistic AI scam call.” He was lucky, however, as a last-minute gut instinct proved correct and the attack failed. Others have not been so lucky, and no AI-powered anything was even required.
As reported by the venerable Brian Krebs, formerly with The Washington Post and now the foremost cybersecurity news investigative reporter around, a user has confirmed how a combination of email security alerts, a real Google phone number and, ultimately, a Google recovery prompt on his smartphone led to him falling victim to a $500,000 cryptocurrency theft after his Gmail account was compromised.
The Gmail Hack Attack That Fooled A Chief Firefighter—And Could Just As Easily Fool You
There are many similarities to the successful attack on a Seattle area battalion chief firefighter, as reported by Krebs, and the security consultant, as reported by myself. The attack employed the use of a phone call, seemingly coming from a real Google number, and email alerts from a google.com address, to warn of an ongoing Gmail account hack and urge the target to follow steps to take control back. The Google phone number was, in fact, one used by Google Assistant for two-way AI-powered conversations rather than a support number—Google doesn’t provide telephone support. The email, complete with a Google Support Case ID, was able to use an actual Google address as it was sent via Google Forms. This is a free service that enables users of Google Docs to quickly send out surveys and the like.
The firefighter was told by the hacker, posing as a Google support representative, that he would receive an account recovery notification on his device to enable him to stop the attack and regain control over his Gmail account. That recovery prompt arrived almost instantly and asked if it was him trying to recover his account. Some of you might have spotted the issue here already: someone else can start the account recovery process, and that prompt you get is your last line of defense against them succeeding.
Gmail Attack Uses Last Line Of Defense Against Hackers As ‘Proof’ The Support Request Is Genuine
The victim told Krebs that he felt at ease after getting the promised recovery notification that he was really talking to someone at Google. It’s such a simple and basic attack technique, no AI nonsense involved, just a savvy attacker, and the vast majority are just that, stepping through the account recovery to trigger this last line of defense notification to pop up on the victim’s smartphone. Clicking yes, however, gives the attacker control over the Google account in question, control over the Gmail account that comes with it, and, in this case, access to Google Photos synced with that Gmail account. A photo of a cryptocurrency wallet seed phrase was stored within, and this enabled the hacker to withdraw almost $500,000 in funds in the bat of an eyelid. The whole story of how that played out can be found in Kreb’s account.
The lesson to be learned here is that you should take note of what Google says about staying safe from attackers using Gmail phishing scams. Most importantly, never let yourself be rushed into making a knee-jerk reaction, no matter how much urgency is injected into a conversation. And, above all else, never click “yes” to a Gmail account recovery prompt unless you have personally started that account recovery yourself. Period.
A Massive Uptick In Phishing Attacks Is Reason Enough To Use The Gmail Advanced Protection Program
A recent report that analyzed the phishing landscape from threat intelligence analysts at SlashNext, found a dramatic surge in credential compromise attacks across the second half of 2024. The SlashNext threat intel analysts warned that this was signal of a sharp escalation in advanced exploit kits as well as an evolution of social engineering tactics. Of concern to Gmail users should be the fact that the report also pointed toward a “massive uptick” in email-based threats with every individual user being on the receiving end of at least one “advanced phishing” bait link capable of bypassing many network security controls, every week. For what it’s worth, my spam folder sees more than one a day of these, a lot more. But then, I’m probably a prime target given my profile. That’s why I make use of Google’s Advanced Protection Program to help keep my Gmail and other Google stuff safe.
Google’s Advanced Protection Program should be on everyone’s radar.
The Advanced Protection Program requires you to use a passkey or a hardware security key in order to verify your identity and sign in to your Gmail Account. In other words, the most phishing-resistant verification method. This means that any unauthorized users, this phishing hackers for example, won’t be able to sign in without possession of the passkey even if they know your username and password. Beyond Gmail, the Advanced Protection program also beefs up Google’s Chrome safe browsing by performing further, more stringent, checks before each and every download. “Only app installations from verified stores,” Google said, “like Google Play Store and your device manufacturer’s app store, are allowed.” Then there’s the fact that the program allows only Google apps and verified third-party apps to access your Google account data, and only with your permission.