“Sign in using your Google Account.” It’s a convenient and trusted way to access critical services using your existing Google credentials. Unfortunately, hackers have found a way to weaponize this service and potentially access everything you use your Google credentials for.
THE LATEST SCAM TO WATCH FOR
Nick Johnson, the lead developer of the Ethereum Name Service (ENS), received a security alert, seemingly from Google. The email stated that a subpoena was issued to Google by law enforcement, seeking the retrieval of information contained in Johnson’s Google account. To respond, the email includes buttons to “upload additional documents” or “view the case.” Clicking on either option took Johnson to a replica Google Account sign-in page.
Johnson didn’t sign in. As a skilled technical security researcher, he recognized the only indicator that the email was a phishing attack – the support portal was hosted on sites.google.com instead of accounts.google.com. This tiny detail meant the login page was created on a Google-hosted site, not by Google.
When Johnson reached out to Google to submit a bug report, Google closed the report as “Working as Intended.” Later, Google reached out to say they had reconsidered the matter and were taking steps to fix the bug.
WHY IT’S SO CONVINCING
This attack leverages a vulnerability in Google’s systems that allows hackers to send a message that appears to come from Google and passes trusted DKIM authentication methods. In other words, the email is a valid email that is sent from “no-reply@google.com”. Since it passes security checks, Gmail displays it without any warnings and even puts it in the same chain as other legitimate security alerts.
When the victim clicks on any link to take action, they are sent to a fake, but very convincing, support portal page. The page’s domain makes users believe it’s legit because the domain is google.com. The key to detecting the attack is that the domain is “sites.google.com” instead of “accounts.google.com”. Once the victim signs in on the fake portal, the hacker gains access to the victim’s login credentials.
WHAT IT MEANS FOR GMAIL USERS
An attack that uses authentic Google pages offers no red flags to warn victims of a potential scam. Gmail users see the phishing emails as mail from a trusted source.
Imagine you receive such a serious warning directly from Google. Panicked, you follow instructions to resolve the issue. Once you reach a login page you trust, you quickly enter your credentials without a thought. Now the hacker has access to core Google services, often including Gmail, Google Drive, Google Photos, Google Calendar, Google Contacts, Google Play, and YouTube–along with any third-party apps and services you log into with your Google Account.
A Forbes report stated that Gmail spokesperson Ross Richendrfer announced that Google has rolled out updated security measures to counter the techniques used by the Gmail Subpoena hack. However, there is no added information about what users can expect. As hackers find ways to distribute increasingly effective attacks, users need to take precautions to protect their own accounts.
AVOID NEARLY UNDETECTABLE ATTACKS
Since phishing attacks depend on a victim to provide entry with credentials, a zero-trust approach is the only way to protect your accounts. Follow these tips to avoid becoming a hacker’s next victim.
- Never follow links in unsolicited emails or on unexpected websites.
Links and fake web pages can be altered to look exactly like authentic versions. Instead, go directly to the source to follow up on seemingly legitimate claims you receive by email. In a case like this one, that means contacting Google Support directly. - Carefully examine email headers when you receive an unexpected email.
Most phishing attacks are sent from a personal email address that doesn’t match the email’s content. These email addresses can be very convincing. In this case, the use of a Gmail account starting with me@ makes the email look as if it’s addressed by the victim. - Review the legitimacy of all emails through an independent method.
Going straight to your trusted accounts will allow you to bypass the hacker completely to determine if there’s any legitimacy to any claim–even simple requests to update passwords or payment details. - Don’t use your Google account (or others like Facebook) to log into other sites and services.
While creating an account with every service you use can seem like a hassle, it keeps your login credentials separate and keeps hackers from accessing all your information. It’s the difference between one compromised account and all compromised accounts–the latter potentially being enough to lead to sensitive information or even identity theft.
Richendrfer did offer one additional tidbit of valuable information for Gmail users: “Google will never ask for any of your account credentials, including Gmail account passwords, one-time 2FA passwords, or to confirm push notifications.” Google also encourages all users to adopt two-factor authentication and passkeys, which provide strong protection against phishing campaigns.
CLOSING THE BLOCK: CYBERSECURITY HOT TIP
Recovery can be just as important as prevention.
It’s true, an ounce of prevention is worth a pound of cure. However, as hackers continue to exploit services, creating virtually undetectable attacks, recovery from cyberattacks is vital to business function. A successful phishing attack can have devastating consequences for an organization with accounts linking to the financial information of members and staff. Cyber insurance is one way to mitigate the financial consequences of a successful cyberattack.
Check out more Technology and Business Solutions for Club Directors.
About the Author
Brad Preston is a client advisor at World Insurance Associates (World) specializing in the Sports industry. World is a leading insurance brokerage in the U.S. specializing in business and personal insurance, employee benefits, retirement plan services, and payroll & HR solutions. The JVA and World have partnered together to bring JVA Members educational articles and content to help you learn about your unique cyber risks and exposures, and how to better protect your businesses, members, and families in general. Feel free to reach out to Brad directly with any questions at bradpreston@worldinsurance.com
