Beware of this costly Gmail recovery prompt hack attack.
NurPhoto via Getty ImagesThe evolution of hack attacks shows no sign of slowing down, and this appears to be particularly true when it comes to the silver bullet threat combination of phishing and Gmail account compromise. The trouble is, even the most careful of Gmail users are falling victim as has been demonstrated in one recent case where the victim did everything right, or so they thought. Here’s what you need to know about this critical Gmail hack attack warning that could cost you dearly if you ignore it.
The Evolution Of Gmail Hack Attacks Continues At Pace
No matter how switched on to security threats, how aware of the methods used in phishing attacks, how secure you feel in the current threat landscape, I assure you that there are hackers, fraudsters and cybercriminals out there who can and will prove you wrong. An experienced security consultant recently discovered this himself after coming dangerously close to falling victim to what has been described in a viral posting as a “super realistic AI scam call.” He was lucky, however, as a last-minute gut instinct proved correct and the attack failed. Others have not been so lucky, and no AI-powered anything was even required.
As reported by the venerable Brian Krebs, formerly with The Washington Post and now the foremost cybersecurity news investigative reporter around, a user has confirmed how a combination of email security alerts, a real Google phone number and, ultimately, a Google recovery prompt on his smartphone led to him falling victim to a $500,000 cryptocurrency theft after his Gmail account was compromised.
The Gmail Hack Attack That Fooled A Chief Firefighter—And Could Just As Easily Fool You
There are many similarities to the successful attack on a Seattle area battalion chief firefighter, as reported by Krebs, and the security consultant, as reported by myself. The attack employed the use of a phone call, seemingly coming from a real Google number, and email alerts from a google.com address, to warn of an ongoing Gmail account hack and urge the target to follow steps to take control back. The Google phone number was, in fact, one used by Google Assistant for two-way AI-powered conversations rather than a support number—Google doesn’t provide telephone support. The email, complete with a Google Support Case ID, was able to use an actual Google address as it was sent via Google Forms. This is a free service that enables users of Google Docs to quickly send out surveys and the like.
The firefighter was told by the hacker, posing as a Google support representative, that he would receive an account recovery notification on his device to enable him to stop the attack and regain control over his Gmail account. That recovery prompt arrived almost instantly and asked if it was him trying to recover his account. Some of you might have spotted the issue here already: someone else can start the account recovery process, and that prompt you get is your last line of defense against them succeeding.
Gmail Attack Uses Last Line Of Defense Against Hackers As ‘Proof’ The Support Request Is Genuine
The victim told Krebs that he felt at ease after getting the promised recovery notification that he was really talking to someone at Google. It’s such a simple and basic attack technique, no AI nonsense involved, just a savvy attacker, and the vast majority are just that, stepping through the account recovery to trigger this last line of defense notification to pop up on the victim’s smartphone. Clicking yes, however, gives the attacker control over the Google account in question, control over the Gmail account that comes with it, and, in this case, access to Google Photos synced with that Gmail account. A photo of a cryptocurrency wallet seed phrase was stored within, and this enabled the hacker to withdraw almost $500,000 in funds in the bat of an eyelid. The whole story of how that played out can be found in Kreb’s account.
The lesson to be learned here is that you should take note of what Google says about staying safe from attackers using Gmail phishing scams. Most importantly, never let yourself be rushed into making a knee-jerk reaction, no matter how much urgency is injected into a conversation. And, above all else, never click “yes” to a Gmail account recovery prompt unless you have personally started that account recovery yourself. Period.
