Google has implemented increasingly sophisticated protections against those who would compromise your Gmail account—but hackers using AI-driven attacks are also evolving.
According to Google’s own figures, there are currently more than 2.5 billion users of the Gmail service.
“I received a notification to approve a Gmail account recovery attempt,” Mitrovic recounts in a blog post warning other Gmail users of the threat in question.
Then, almost exactly a week later, the fun started in earnest—another notification request for account recovery approval followed by a telephone call 40 minutes later.
The combination of the protections brought by both of these technologies makes it something of a no-brainer for most people with a Google account, including all Gmail users.
Update, Oct. 13, 2024: This narrative was first released in October. 11, which contains information on a new Google anti-scam alliance project, a new alert regarding support scams that appear authentic, and specifics about Google’s Advanced Protection Program designed to safeguard accounts at high risk.
Though hackers employing AI-driven attacks are also developing, Google has put in place ever-more-complex safeguards against those attempting to access your Gmail account. Google estimates that there are more than 2.5 billion Gmail users worldwide at the moment. Which makes sense given that hackers and con artists find it to be a prime target. What you should know is as follows.
This Is The Scariest AI-Powered Gmail Attack Yet.
Microsoft solutions consultant Sam Mitrovic has cautioned users after nearly falling for a “super realistic AI scam call” that could fool even the most seasoned users.
It all began a week before Mitrovic became aware of how advanced the attack was that was intended for him. In a blog post alerting other Gmail users to the potential threat, Mitrovic narrates, “I got a notification to approve a Gmail account recovery attempt.”. One of the most well-known phishing attack techniques is to pretend to be a login portal and ask the user to confirm an account recovery or reset their password. This way, the user is tricked into reporting the request as not coming from them by entering their login credentials.
ForbesGmail: What Should I Do If 2FA, Email, and Phone Number Hackers Take Control?
And so it should come as no surprise that Mitrovic was not buying into this, dismissing the notice that seemed to come from the U. S. 40 minutes later, there was a missed call that appeared to be from Google in Sydney, Australia. Thus far, everything appears to be quite simple and avoidable. Then, nearly exactly one week later, the real fun began with another notification request for approval of account recovery, which was followed by a call forty minutes later. Mitrovic answered the phone this time around, not missing it, and an American voice claiming to be from Google support verified that there had been unusual activity on the Gmail account.
“He inquires if I’m on the road,” Mitrovic claimed. “I respond negatively. He then asks if I logged in from Germany.”. All of this is meant to instill fear in the recipient and trust in the caller. At this point, the phishing scheme took a quick and extremely clever turn for the worse. According to the alleged Google support agent, Mitrovic’s Gmail account had been accessed by an attacker for the previous seven days, and the attacker had already downloaded account data. Mitrovic became concerned when he remembered the missed call and recovery notification from a week prior.
While he was talking, Mitrovic went to Google to see if the phone number he was being called from actually led to Google business pages. Because it wasn’t a Google support number and instead concerned receiving calls from Google Assistant, this alone is a cunning ploy that will probably fool a lot of gullible users caught up in the moment of panic. “You’ll be informed at the beginning of the call that it is from Google and for what reason. The 100% authentic page tells the reader in a helpful way, “You can anticipate the call to come from an automated system or, in some cases, a manual operator.”.
ForbesGoogle Verifies Updated Gmail Security Feature for 2.5 Billion Users.
Users of Gmail Are Warned About Another Google Support Scam Powered By AI.
Using X, formerly known as Twitter, Garry Tan, the founder of the venture capital firm and startup accelerator Y Combinator, has issued a warning about another phishing scam that he described as “pretty elaborate” and that also uses artificial intelligence (AI) to look credible. This latest warning concerns contact from a so-called Google support technician. This is similar to the scam that nearly tricked security consultant Sam Mitrovic, remember. In regards to these scams, it’s not too far from the truth: Google support will not get in touch with you unexpectedly like this. I wouldn’t go so far as one commenter on X suggested the giveaway was that Google doesn’t have any support for users. Tan expressed caution, saying, “Do not click yes on this dialog; you will be phished.”. “.
The alleged Google support agent in Tan’s scam stated that his account was being attempted to be recovered by a family member and that the company had received a death certificate. Stated differently, the caller was confirming that the person answering was still alive—only artificial intelligence could be this imprudent. Tan continued, “It’s a pretty elaborate ploy to get you to allow password recovery,” but he noticed that the device field on the screen he was shown for account recovery actually showed the name of a Google support agent rather than the actual device that was used to access the account. Tan proposed using fairly basic regular expression checks or even AI-based fraud detection on the concerned text field by whoever created the recovery interface. “Checking the device name for this is a trivial task,” he said. Requiring Tan to re-enter his phone number during the verification process in order to initiate an account recovery dialog was one aspect of the scam. However, Tan was astute enough to point out that “I’ve been SIM swapped, so know not to have my cell on my accounts ever,” Tan said.
To Make Contact Seem Genuine, Use Google Forms.
Fraudsters have also been observed misusing Google Forms, a complimentary online application included in Google Workspace, to generate documents that appear authentic and are sent as part of support scams. The ploy gains credibility when a copy of the form is sent to the intended recipient via the response receipt feature of Google Forms, which routes the document through real Google servers. Verifying the email will reveal that it originates from workspacesupport@google.com, for example, thereby allaying any concerns the recipient may have had. In one instance, a similar form was used to imitate an account recovery password reset form, with the added information that the target would receive an SMS from a designated support agent and the phone number to verify. This dual-legitimacy tactic is sufficient to con a large number of people frequently. In this case, the error was a confusingly complicated and protracted password reset process, which was only discovered if the person on the receiving end was astute enough to notice it.
These Google Support Hack Near-Mistakes Teach Us Important Lessons.
After he asked the supposed support guy to send an email confirmation, which arrived shortly after and appeared to be authentic, Mitrovic took the appropriate action, or at least the best course of action short of hanging up. By now, he realized that the “to” field had an artfully veiled address that was not a Google domain but could, nevertheless, deceive non-techies with ease.
The caller’s repeated “hi” after receiving no response was the true telltale sign for Mitrovic, though. The pronunciation and spacing were too perfect, so at this point, Mitrovic said, “I released it as an AI voice.”.
I won’t have time to cover all of the technical details and investigative work in this report, but it’s definitely worth reading Mitrovic’s original blog. Since information is power, anyone who might find themselves in a similar situation would find the threat intelligence this consultant provided to be truly invaluable. As they say, “beware of what you know, stay vigilant.”.
A New Gmail Security Change Awaits Millions, Says ForbesGoogle.
It’s almost a given that the attacker would have persisted until the so-called recovery process started; in reality, this would have been a cloned login portal that collected user credentials and probably used malware that stole session cookies to get around two-factor authentication, if it was enabled.
Google Introduces The Global Signal Exchange To Combat Con artists.
Google has revealed that it has formed a new initiative in the fight against scammers by partnering with the DNS Research Federation and the Global Anti-Scam Alliance. The Global Signal Exchange will serve as a forum for exchanging intelligence about fraud and scams, offering up-to-date knowledge of the cybercrime supply chain. As the first founding member of the Global Signal Exchange, Google intends for the platform to serve as a sort of global clearinghouse for intelligence signals linked to malicious actors and their attacks.
The partnership “leverages the strengths of each partner,” according to Amanda Storey, senior director of trust and safety at Google. “GSE aims to improve the exchange of abuse signals, enabling faster identification and disruption of fraudulent activities across various sectors, platforms, and services,” says the DNS Research Foundation, a data platform with over 40 million existing signals, and GASA, which has a vast existing network of interested stakeholders. “.
Google stated that the ultimate objective is to develop a solution that functions at the nearly unimaginable scale of the internet while still being effective and, most importantly, user-friendly. Consequently, it will be available for use by approved organizations to retaliate against con artists. With a long history of forming alliances to combat fraud, Google has a wealth of experience in this area. In fact, during the new Global Signal Exchange’s testing phase, Google utilized an astounding million scam signals for analysis and shared over 100,000 malicious URLs. As we gain experience from the pilot, we will look to add data soon from other relevant Google product areas. “We’ll start by sharing Google Shopping URLs that we have actioned under our scams policies,” Google’s account security product manager Nafis Zebarjadi said. “.
Forbes: A BBQ lighter can be used to hack your laptop in 2024.
In order to allow all participants to share and consume intelligence signals while “benefiting from Google Cloud Platform’s Al capabilities to find patterns and match signals smartly,” Storey concluded that the Global Signal Exchange—or at least the engine that powers it—runs on the Google Cloud.
How To Avoid The Most Complex Gmail Scams.
Not only are AI deepfakes employed in politics and pornography, but they can also be used to carry out seemingly simple account takeovers, like the one that occurred here. If someone approaches you posing as Google support, remain composed. If they hang up, there won’t be any harm done to you, and they won’t even attempt to call you, which is highly suspicious. If, during the call, you are worried that something might be real and that ignoring it could be harmful, use the resources at your disposal—ironically, Google search itself and your Gmail account—to conduct some checks. Look up the phone number and determine the true source of the call. Verify the devices that have been using your Gmail account to determine whether any other devices have been using it. Notice what Google has to say about preventing hackers who use Gmail phishing scams to steal your personal information. Primarily, resist the urge to hastily react, regardless of the degree of urgency conveyed during a discussion. The attackers take advantage of this sense of urgency to make you ignore your better judgment and click a link or divulge your credentials.
Forbes: Is Google Doom Raising Security Concerns With 32 Pages? Android, Chrome, and Play Store For Sale?
Utilize Google’s Advanced Protection Program, which now supports passkeys.
Additionally, if you are a journalist, activist, or politician, or are otherwise considered a high-risk account holder, I would suggest you to enroll in Google’s Advanced Protection Program. The fact that the Advanced Protection Program required the purchase of two hardware security keys in order to access the account was always a drawback. When Google revealed that users of the Advanced Protection Program would soon be able to access passkey support, the financial burden was relieved earlier this year.
.