Although Google has announced a new Gmail update, three billion users are being warned. Listen carefully. Because that’s how you maintain your email. Failure to heed this advice may result in the loss of access to your account and all of your material.
Google is understandably irritated. Even though it only affects a small percentage of users, the most recent attack on a Gmail user is drawing attention away from its far more significant warning. As innumerable stories explore how a phony email was delivered in a way that made it look as though it came from Google themselves, the risk is that the advise will be lost in the din.
It hurts to see millions of people checking their Google emails that are automatically delivered to them. Let’s start with the fundamentals. No-reply@google.com or any other verified Google email address is not going to send you a barrage of phony emails. These attacks are uncommon and targeted. That’s the reason they first make so much headlines.
Google says that its defenses now block 99 percent of harmful phishing emails, yet you will still be inundated with them. To make sure you add a passkey and stop using SMS two-factor authentication, you must also modify your account settings. Although this is being phased out, you should make the adjustment now.
More significantly, these sophisticated attacks on Gmail users that pose as Google are all predicated on two false premises: that you may receive an email, phone call, or message from Google’s support staff, and that Google may “ask for any of your account credentials — including your password, one-time passwords [or] confirm push notifications” if you do receive an email or message about an account issue. Similarly, the business will not provide links to pages where you submit your login information.
Google requested me to “reiterate to your readers that Google will not call you to reset your password or troubleshoot account issues” during the last intense outcry over a similar attempt. And in the wake of this most recent attack, it has reiterated that warning. However, the risk is that the intricacies of 0Auth and DKIM (DomainKeys Identified Mail) checks to authenticate senders, including Google themselves, overshadow this straightforward suggestion.
None of this diminishes the embarrassing appearance of this most recent attack or Google’s vulnerabilities, even though they have been fixed, much like others were in January when a similarly complex breach garnered media attention. Similar to how it currently informs users that “we have rolled out protections to shut down this avenue for abuse,” Google stated at the time that it was “hardening our defenses” to prevent a recurrence.
As soon as one door closes, attackers will undoubtedly find another. Therefore, it is even more important that all Gmail users return to the fundamentals. Since you still require a password for account backup access, set up a passkey and a more robust 2FA method than SMS. Additionally, keep in mind that any proactive support representative from Google, Microsoft, Apple, Samsung, or any other large tech corporation is a fraud. If you are unsure, end the call, disregard the emails, and contact the business through the standard, open methods.
Furthermore, that advise isn’t unique to your Gmail and Google accounts. “Recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows,” according to a recent report from Volexity.
As a result of “multiple Russian threat actors aggressively targeting individuals and organizations with ties to Ukraine and human rights,” the security firm claims to have been monitoring the attacks for the past month. Instead of using large tech help desks, the hackers pose as authorities from several European countries to entice victims.
In this case, the attacker “invites the victim to participate in a video call to discuss the conflict in Ukraine by contacting them via a messaging application (Signal, WhatsApp).” The attacker sends a 0Auth phishing URL, which they say is necessary to join the video call, once the victim has replied. The attacker requests that the victim return the OAuth code that was generated by Microsoft.This is the copy-and-paste method. “The attacker can create an access token that eventually grants access to the victim’s M365 account if the victim shares the OAuth code.”
Another example of why you need hardware-linked accreditation and why you should never disclose codes or browser URLs in dialog boxes that are opened via links is an OAuth phishing trap that takes advantage of trusted app login routines. Similar to ClickFix attacks, instructions to copy and paste codes or text strings are risky. Such an order is an attack if you ever see it. That’s how easy it is. You can keep both your Gmail and Microsodft accounts if you don’t do this.
