Sunday, December 29, 2024

Critical Gmail Warning As Real Google Prompts Used In Hack Attacks

Must read

The evolution of hack attacks shows no sign of slowing down, and this appears to be particularly true when it comes to the silver bullet threat combination of phishing and Gmail account compromise. The trouble is, even the most careful of Gmail users are falling victim as has been demonstrated in one recent case where the victim did everything right, or so they thought. Here’s what you need to know about this critical Gmail hack attack warning that could cost you dearly if you ignore it.

ForbesDark Web Facial ID Farm Warning—Hackers Build Identity Fraud Database

The Evolution Of Gmail Hack Attacks Continues At Pace

No matter how switched on to security threats, how aware of the methods used in phishing attacks, how secure you feel in the current threat landscape, I assure you that there are hackers, fraudsters and cybercriminals out there who can and will prove you wrong. An experienced security consultant recently discovered this himself after coming dangerously close to falling victim to what has been described in a viral posting as a “super realistic AI scam call.” He was lucky, however, as a last-minute gut instinct proved correct and the attack failed. Others have not been so lucky, and no AI-powered anything was even required.

As reported by the venerable Brian Krebs, formerly with The Washington Post and now the foremost cybersecurity news investigative reporter around, a user has confirmed how a combination of email security alerts, a real Google phone number and, ultimately, a Google recovery prompt on his smartphone led to him falling victim to a $500,000 cryptocurrency theft after his Gmail account was compromised.

The Gmail Hack Attack That Fooled A Chief Firefighter—And Could Just As Easily Fool You

There are many similarities to the successful attack on a Seattle area battalion chief firefighter, as reported by Krebs, and the security consultant, as reported by myself. The attack employed the use of a phone call, seemingly coming from a real Google number, and email alerts from a google.com address, to warn of an ongoing Gmail account hack and urge the target to follow steps to take control back. The Google phone number was, in fact, one used by Google Assistant for two-way AI-powered conversations rather than a support number—Google doesn’t provide telephone support. The email, complete with a Google Support Case ID, was able to use an actual Google address as it was sent via Google Forms. This is a free service that enables users of Google Docs to quickly send out surveys and the like.

The firefighter was told by the hacker, posing as a Google support representative, that he would receive an account recovery notification on his device to enable him to stop the attack and regain control over his Gmail account. That recovery prompt arrived almost instantly and asked if it was him trying to recover his account. Some of you might have spotted the issue here already: someone else can start the account recovery process, and that prompt you get is your last line of defense against them succeeding.

ForbesThe FBI Is Wrong—This Gmail Attack Advice Won’t Help You At All

Gmail Attack Uses Last Line Of Defense Against Hackers As ‘Proof’ The Support Request Is Genuine

The victim told Krebs that he felt at ease after getting the promised recovery notification that he was really talking to someone at Google. It’s such a simple and basic attack technique, no AI nonsense involved, just a savvy attacker, and the vast majority are just that, stepping through the account recovery to trigger this last line of defense notification to pop up on the victim’s smartphone. Clicking yes, however, gives the attacker control over the Google account in question, control over the Gmail account that comes with it, and, in this case, access to Google Photos synced with that Gmail account. A photo of a cryptocurrency wallet seed phrase was stored within, and this enabled the hacker to withdraw almost $500,000 in funds in the bat of an eyelid. The whole story of how that played out can be found in Kreb’s account.

The lesson to be learned here is that you should take note of what Google says about staying safe from attackers using Gmail phishing scams. Most importantly, never let yourself be rushed into making a knee-jerk reaction, no matter how much urgency is injected into a conversation. And, above all else, never click “yes” to a Gmail account recovery prompt unless you have personally started that account recovery yourself. Period.

ForbesElon Musk Xmail Teaser Poses New Threat For Billions Of Gmail Users

Latest article