A SINISTER hacking “campaign” that used extremely convincing “emails from Google” has been exposed.
Cyber-crooks were able to create scam emails that appeared to come from an official Google address.
The criminals used the fake emails to break into Microsoft 365 accounts.
This would potentially allow crooks to access emails, which could then be used to break into other accounts.
Google says that it has actively blocked several scam campaigns using this technique.
But security researchers at Check Point who first described the attack say that criminals were able to send nearly 9,400 phishing emails in just two weeks.
GOOG GOSH
Google warns over bank-raiding ‘do you remember’ scam text that ‘maximises loss’
HACK ATTACK
‘Cybercriminals have full control’ over phone if you make common mistakes
The emails were typically sent to work email addresses, and would “mimic routine notifications” like voicemail alerts or requests to access files.
“All messages were sent from the legitimate Google address [email protected],” the cyber-experts warned.
“Which significantly increased their credibility and likelihood of reaching end users’ inboxes.”
The researchers say that the crooks took advantage of a Google system called Application Integration.
This is meant to allow systems to send emails to recipients – but crooks found a way to make emails appear to be from Google’s own addresses.
And the crooks even designed their emails to look as convincing as possible.
“To further increase trust, the emails closely followed Google notification style and structure, including familiar formatting and language,” Check Point explained.
“The lures commonly referenced voicemail messages or claims that the recipient had been granted access to a shared file or document such as access to a ‘Q4’ file.
“Prompting recipients to click embedded links and take immediate action.”
DANGER MAIL
Check Point revealed several examples of real phishing emails that its cyber-experts caught.
The experts revealed how the emails would redirect victims to a fake Microsoft login page.
But this page wasn’t hosted by Microsoft – and was a total fake.
Instead, the login details that victims typed in would be “captured by the attacker”.
This could give crooks access to emails and documents, and potentially allow for further break-ins.
Nearly half of the targets were in the USA, and about 20% in Europe.
Google said it had worked to put a stopper on this type of attack.
“We have blocked several phishing campaigns involving the misuse of an email notification feature within Google Cloud Application Integration,” a Google spokesperson said.
“Importantly, this activity stemmed from the abuse of a workflow automation tool, not a compromise of Google’s infrastructure.
Sign up for The Sun Tech newsletter for gadgets, games & more
Hello! I’m Sean Keach, The Sun’s Head of Technology and Science
I’ve been writing about gadgets, games and the future of technology for more than a decade.
During that time I’ve penned thousands of articles, filmed hundreds of videos, talked tech on TV and radio, and travelled around the world to bring you the latest on Apple, Meta, Google, Amazon, Netflix and more.
And I’ve got a weekly newsletter called The Sun Tech that you can read for free every Thursday.
I bring you the latest from the world of tech, including behind-the-scenes action, exclusive content, expert analysis, and plenty of help advice – so please follow along!
“While we have implemented protections to defend users against this specific attack, we encourage continued caution as malicious actors frequently attempt to spoof trusted brands.
“We are taking additional steps to prevent further misuse.”
STAYING SAFE
If you’re worried about this attack, there are some steps you can take to stay safe.
You should always be cautious of urgent emails, as it’s a classic scammer tactic.
For instance, the Microsoft login page wasn’t actually hosted on a Microsoft website.
So it’s important you double-check the web address of the website you’re tapping your details into.
Make sure to use two-factor authentication on your account, so that the log-in needs an extra code (via text or authenticator) to log in.
That way, even if your password is stolen, crooks would still be locked out.
And if you’re unsure about an email, try logging in to the service directly using the official website – rather than following any links in a message.
That way, you know you’re not being tricked.
