A sophisticated fishing scam is taking advantage of Google security flaws to explain to people that malicious emails and websites are valid.
In a series of x posts Viewed by Android AuthorityDeveloper Nick Johnson told how he was Targeted by a fishing attack It exploits defects in Google’s infrastructure. In its first post, Johnson includes a screenshot of scam email that claims that Google was served a Sabpona, which required to produce a copy of its Google account data.
Also: Clicked on a fishing link? To protect your accounts immediately to take 7 steps
Email reads correctly; That is, it uses the right words and does not contain any types or broken English. The message itself is considered valid and signed by Google. It has been sent from No-Reply@google.com, a valid, automated company-utilized address. The email itself passes the DKIM Signature check, which aims to verify the authenticity of a message. No other warning appears, so it looks completely valid.
Clicking on the site link in the email takes you to a support portal that looks like a real Google page. The page is also hosted Google sitesA platform where people can create their website and run. The use of such a platform adds legitimacy to the scam because people believe this is a real deal.
Clicking on the link of “uploading additional documents” or “visual case” takes you to a sign-in screen, which also appears that it comes from Google. At this point, there is a tip-off that it can be a scam. As Johnson Note, the sign-in screen is hosted on Google sites instead of the Google account page, where you normally log in.
Then Johnson ended the process. If he had recorded his user name and password, he estimated that the attackers would have stolen his login credentials and would have been used to compromise his Google account.
Melissa Biscoping, head of safety research at Cybercity firm Tanium, said, “This recent fishing attack exploits valid Google features to send emails designed to bypass some traditional checks, as well as hoshesize the spuged page and crop credentials to take advantage of Google sites.”
Also: Best VPN Extension for Chrome: Expert Testing and Review
“Email took advantage of an OATH application, combined with a creative DKIM workaround, which is to bypass the types of safety measures to prevent this exact type of fishing effort,” Biscoping explained. “The strategy that makes this strategy particularly dangerous is not just hand technical sleep, but deliberately use reliable services to slip both users and detection equipment.”
The blame for this scam should clearly target itself on scammers. But Google is also on the hook, as this exploitation is possible due to some security weaknesses.
First, Google sites are a heritage product that still allows for arbitrary scripts and embed. This weakness may allow an attacker to add arbitrary and malicious codes and embedded objects to a web page. Second, close inspection of email suggests that it came from one but not from Google. Privatemail.com Address. This raises the question of how and why Google signed the first place.
Also: This chat trick can tell where your photo was taken – and it is uncertain
After receiving the scam email, Johnson said he approached Google to alert him to the weaknesses. Initially, the company clearly distinguished its concerns, claiming that all this was behavior. But then Google reversed her stance and since then indicated that it would fix these bugs.
“More danger actors are choosing to take advantage of the services intentionally, who have very legitimate business use cases, underlining the trend that, as the detection equipment is strong, the opponents are looking for ways to fully detect, not necessarily excluded with expensive exploits,” Biscoping said. “They are focusing on equipment, sites and function organizations in their daily tasks.
By combining with normal traffic, and the possibility that a specific recipient will not look closely on a reliable domain like ‘Google.com’, ‘The danger actors have a high rate of success without significant investment. ,
Thank you not only to catch this scam and warn people but also go to Johnson to suppress Google to resolve the issue. Until a fix is ​​rolled out, how can you protect yourself against such sophisticated fishing attacks?
Also: Data – Crying cyber attacks are increasing – 7 ways to save yourself and your business
Thomas Richards, the security provider, provides the following recommendations in the security provider Black Duck.
- Beware of any email that urges immediate action and tells you that you can face negative results. It is usually a sign that email is malicious.
- Check the email address “from” and “to”. If “from” domain is not a real company or “recipient” you are not, then email is likely to be a scam.
- Avoid clicking on the link in the email. In the attack described by Johnson, the malicious site is hosted on a Google Domain. However, Google will never send you a legal complaint and then direct you to the Google sites domain. If you are in doubt, log into your Google account separately without clicking on any link and see if any message or alert is waiting for you.
- Finally, run an online search for email content. It can tell you whether others have reported it as a scam or have received a uniform email.
Be ahead of security news with Tech todayReacted every morning to his inbox.
