Beware of this costly Gmail recovery prompt hack attack.
Update, Dec. 29, 2024: This story, originally published Dec. 27 now includes more information regarding Gmail and other email-based credential compromise attacks, a look at the AI-driven defenses employed by Google to protect Gmail users, and why Google’s Advanced Protection Program is among the best credentials compromise threat mitigations you can employ.
The evolution of hack attacks shows no sign of slowing down, and this appears to be particularly true when it comes to the silver bullet threat combination of phishing and Gmail account compromise. According to Google’s own figures, Gmail is the world’s largest email provider, with more than 2.5 billion users. “We know how important it is to keep inboxes everywhere safe,” Google said, but attackers also know how to manipulate these Gmail users in an effort to get to use Google’s own defenses against them.The trouble is, even the most careful of Gmail users are falling victim as has been demonstrated in one recent case where the victim did everything right, or so they thought. Here’s what you need to know about this critical Gmail hack attack warning that could cost you dearly if you ignore it.
The Evolution Of Gmail Hack Attacks Continues As AI Brings The Heat
No matter how switched on to security threats, how aware of the methods used in phishing attacks, how secure you feel in the current threat landscape, I assure you that there are hackers, fraudsters and cybercriminals out there who can and will prove you wrong. An experienced security consultant recently discovered this himself after coming dangerously close to falling victim to what has been described in a viral posting as a “super realistic AI scam call.” He was lucky, however, as a last-minute gut instinct proved correct and the attack failed. Others have not been so lucky, and no AI-powered anything was even required.
As reported by the venerable Brian Krebs, formerly with The Washington Post and now the foremost cybersecurity news investigative reporter around, a user has confirmed how a combination of email security alerts, a real Google phone number and, ultimately, a Google recovery prompt on his smartphone led to him falling victim to a $500,000 cryptocurrency theft after his Gmail account was compromised.
The Gmail Hack Attack That Fooled A Chief Firefighter—And Could Just As Easily Fool You
There are many similarities to the successful attack on a Seattle area battalion chief firefighter, as reported by Krebs, and the security consultant, as reported by myself. The attack employed the use of a phone call, seemingly coming from a real Google number, and email alerts from a google.com address, to warn of an ongoing Gmail account hack and urge the target to follow steps to take control back. The Google phone number was, in fact, one used by Google Assistant for two-way AI-powered conversations rather than a support number—Google doesn’t provide telephone support. The email, complete with a Google Support Case ID, was able to use an actual Google address as it was sent via Google Forms. This is a free service that enables users of Google Docs to quickly send out surveys and the like.
The firefighter was told by the hacker, posing as a Google support representative, that he would receive an account recovery notification on his device to enable him to stop the attack and regain control over his Gmail account. That recovery prompt arrived almost instantly and asked if it was him trying to recover his account. Some of you might have spotted the issue here already: someone else can start the account recovery process, and that prompt you get is your last line of defense against them succeeding.
Gmail Attack Uses Last Line Of Defense Against Hackers As ‘Proof’ The Support Request Is Genuine
The victim told Krebs that he felt at ease after getting the promised recovery notification that he was really talking to someone at Google. It’s such a simple and basic attack technique, no AI nonsense involved, just a savvy attacker, and the vast majority are just that, stepping through the account recovery to trigger this last line of defense notification to pop up on the victim’s smartphone. Clicking yes, however, gives the attacker control over the Google account in question, control over the Gmail account that comes with it, and, in this case, access to Google Photos synced with that Gmail account. A photo of a cryptocurrency wallet seed phrase was stored within, and this enabled the hacker to withdraw almost $500,000 in funds in the bat of an eyelid. The whole story of how that played out can be found in Kreb’s account.
The lesson to be learned here is that you should take note of what Google says about staying safe from attackers using Gmail phishing scams. Most importantly, never let yourself be rushed into making a knee-jerk reaction, no matter how much urgency is injected into a conversation. And, above all else, never click “yes” to a Gmail account recovery prompt unless you have personally started that account recovery yourself. Period.
Google’s Gmail Threat Defenses Are Second To None
You will be pleased to hear that Google is not sitting back and doing nothing while the Gmail attacks evolve and increase. “This year, we developed several ground-breaking AI models that significantly strengthened Gmail cyber-defenses,” Andy Wen, Gmail’s senior director of product management, said, “including a new large language model that we trained on phishing, malware and spam.” This large language model alone has used the identification of malicious patterns to block 20% more spam, including phishing attacks, than previously. One newly introduced AI Gmail protection is, effectively, a supervisor for the existing defenses, “ instantly evaluating hundreds of threat signals when a risky message is flagged and deploying the appropriate protection,” Wen said. There are three ongoing threats that Wen pointed to as being ones to watch for at this time of year, well, all year really, and they were: Gmail extortion, Gmail invoice and Gmail celebrity phishing attacks.
Extortion: This “vicious and scary” scam involves sending an email that includes details of the victim’s home address. The so-called “We know where you live” attack. There are multiple versions doing the rounds, often including photography of your home. “They generally either include threats of physical harm or threats of releasing damaging personal material they say they acquired through a hack,” Wen said.
Invoice: As the name rather gives away, these attacks involving the sending of fake invoices with the intent to trick the recipient into contacting them to dispute the charges, which can be done for a fee. This negotiation is often done over the phone, having provided a number to call in the Gmail message. “These scams aren’t new,” Wen said. “but are persistent and incredibly prevalent this holiday season.”
Celebrity: You can probably file these scams in the brand-impersonation category, but the brand being impersonated is a human being. “Over the past month, many of the most common scams popping up reference famous people,” Wen warned, “either pretending to come from the celebrity themself or claiming a given celebrity is endorsing a random product.”
All in all, the takeaway is that there has been a massive uptick in phishing scams and with Gmail being at the top of the email provider pile, it’s something all users need to be aware of.
A Massive Uptick In Phishing Attacks Is Reason Enough To Use The Gmail Advanced Protection Program
A recent report that analyzed the phishing landscape from threat intelligence analysts at SlashNext, found a dramatic surge in credential compromise attacks across the second half of 2024. “The key findings in the SlashNext Phishing Intelligence Report highlight an accelerating threat landscape driven by AI adoption, automation, and hybrid attack methods,” Callie Guenther, senior manager of cyber threat research at Critical Start, said. The SlashNext threat intel analysts warned that this was signal of a sharp escalation in advanced exploit kits as well as an evolution of social engineering tactics. With many phishing emails containing a malicious link, that’s kind of the point after all; the scary thing is that SlashNext researchers found that 80% of these were previously unknown zero-day threats. Of concern to Gmail users should be the fact that the report also pointed toward a “massive uptick” in email-based threats: social engineering-based attacks rose by 141% in the last six months, the report said. With every individual user being on the receiving end of at least one “advanced phishing” bait link capable of bypassing many network security controls, every week, it claimed. For what it’s worth, my spam folder sees more than one a day of these, a lot more. But then, I’m probably a prime target given my profile. That’s why I make use of Google’s Advanced Protection Program to help keep my Gmail and other Google stuff safe.
Google’s Advanced Protection Program should be on everyone’s radar.
The Advanced Protection Program requires you to use a passkey or a hardware security key in order to verify your identity and sign in to your Gmail Account. In other words, the most phishing-resistant verification method. This means that any unauthorized users, this phishing hackers for example, won’t be able to sign in without possession of the passkey even if they know your username and password. Beyond Gmail, the Advanced Protection program also beefs up Google’s Chrome safe browsing by performing further, more stringent, checks before each and every download. “Only app installations from verified stores,” Google said, “like Google Play Store and your device manufacturer’s app store, are allowed.” Then there’s the fact that the program allows only Google apps and verified third-party apps to access your Google account data, and only with your permission.
