2 weeks Ago
Gmail is under attack NurPhoto via Getty Images Update: Republished on April 20 with new 2FA attack on Google’s infrastructure.. Here we go again.
Google has confirmed another attack on Gmail users that combines inherent vulnerabilities in the platform with devious social engineering. The net result is a flurry of headlines and viral social media posts followed by an urgent platform update. Google’s security warning is clear.
Users should stop using their passwords. This latest attack has been bubbling on X and in a number of crypto outlets given the victim was an Ethereum developer. Nick Johnson says he was “targeted by an extremely sophisticated phishing attack,” one which “exploits a vulnerability in Google’s infrastructure, and given their refusal to fix it, we’re likely to see it a lot more.
” The attack started with an email from a legitimate Google address warning Johnson that it has been served with a subpoena for his Google account. “This is a valid, signed email,” Johnson says, “sent from [email protected].
It passes the DKIM signature check, and Gmail displays it without any warnings - it even puts it in the same conversation as other, legitimate security alerts.” This is clever, and technically the attackers have exploited a way to send a correctly titled Google email to themselves from Google, which they can then forward to others with the same legitimate DKIM check even though it’s a copy of the original. But the objective is more simple.
A credential phishing page that mimics the real thing. “We’re aware of this class of targeted attack,” Google has now confirmed in a statement, “and have been rolling out protections for the past week. These protections will soon be fully deployed, which will shut down this avenue for abuse.
In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns." That’s all that matters. Stop using your password to access your account, even if you have two-factor authentication (2FA) enabled and especially if that 2FA is SMS-based.
It’s now too easy to trick you into giving up your login and password and then bypassing or stealing the SMS codes as they come into your device. There’s nothing to stop an attacker using your password and 2FA code on their own device. What does stop them is a passkey.
This is linked to your own physical device and requires your device security to unlock your Google account. That means if an attacker does not have your device they can’t login. While Google has not yet gone as far as deleting passwords completely — which is Microsoft’s stated intention , you will know not to use your password to sign-in which will stop a malicious phishing page stealing it.
The cleverness in this latest attack added to others we have seen in recent months is easily thwarted by updating your account security. These attacks are getting ever more sophisticated, and AI will enable this level of “targeting” to be done on a massive scale . As Microsoft warns, “AI has started to lower the technical bar for fraud and cybercrime actors looking for their own productivity tools, making it easier and cheaper to generate believable content for cyberattacks at an increasingly rapid rate.
” You can find details on adding a passkey your Google account here . This latest Google scam, exploiting weaknesses in its core infrastructure to mask an attack, is now getting more media pick up ( 1 , 2 ). Unfortunately, most of this misses the point.
Google has been very clear each time such stories make headlines, emphasizing two key points. First, that the company will never reach out proactively to users to warn them about a support or security issue or to recommend they take actions to stay safe. And second, enhancing account security per its advice will keep those accounts safe.
Don’t wade through the coverage and the technical detail. The ways in which these attackers have abused Google’s email system clearly needs to be patched. But email is inherently insecure as a medium, and despite various patches and fixes that has not changed.
What we’re seeing now is a relative trickle of more advanced and dangerous AI attacks, but that will change. The tidal wave is coming, and you won’t be able to keep yourself safe by addressing one of these exploits at a time. You may spot this attack now you’ve seen the coverage, but you won’t spot the next one.
Set up passkeys now if you have not done so already. And just as with banking scams and law enforcement scams, keep in mind that any such proactive approach is a scam. Banks emphasize they’ll never reach out, just as big tech does regarding technical support, and law enforcement does regarding recent impersonations.
This advice has never been more critical. As Microsoft has just warned, “AI tools can scan and scrape the web for company information, helping cyber attackers build detailed profiles [and] highly convincing social engineering lures. In some cases, bad actors are luring victims into increasingly complex fraud schemes.
” This is a game of cat and mouse — and it’s getting harder to keep up. Google’s advice to use 2FA is fast becoming invalid — at least in part. 2FA is increasingly at risk, especially where it relies on one-time SMS codes, still the most commonly selected option.
Just as Google issued that advice, we were seeing the latest headlines warning of 2FA bypasses and interceptions. This time it’s Gorilla, “a newly discovered Android malware that shows characteristics of an evolving threat. Prodaft warns that "it primarily focuses on SMS interception and persistent communication with its command and control (C2) server.
” That means SMS codes to be used in combination with the kinds of password attack highlighted by this latest Gmail attack. “To read SMS messages and send new ones,” Prodaft explains, “Gorilla requests to become the default SMS application (T1582 - SMS Control). After obtaining this privilege, it requests the necessary permissions for its malicious activities.
The READ_PHONE_STATE and READ_PHONE_NUMBERS permissions are required to read SIM card information and retrieve the phone number from the device. Collected SMS messages are categorized with tags like ‘Banks’ and ‘Yandex’.” The malware even tricks users into disabling power management settings that would frustrate its ability to operate.
“Some manufacturers implement aggressive battery-saving measures that stop such applications. To bypass this, Gorilla prompts the user to ignore battery optimizations for itself. Additionally, if the manufacturer string contains ‘Honor’ or ‘Huawei,’ it introduces a longer delay between its heartbeat service executions to avoid being battery optimized.
” The answer is to add that passkey to your account. Do not use 2FA instead. There are other physical key solutions, but nothing as simple as passkeys.
All 3 billion Gmail users should set up passkeys now. Google is moving away from SMS codes. And you should do the same.
In your account settings, enable an authenticator app or Google prompts to other devices and apps — in addition to a passkey, of course. If you have one or other form of strong authentication on your account, you don’t need to worry about the sophistication of the attack. But you do need to stop using your password to login, and you need to ensure you have a stronger than SMS form of 2FA enabled for all your accounts.
Google and others are maintaining password access as a backup, even if passkeys are enabled. And this is a vulnerability. Prodaft warns “Gorilla appears to be in an early stage of development, as evidenced by its lack of obfuscation, excessive logging, and unused classes.
” But it’s a sign of things to come, and a warning that SMS 2FA is almost as bad as no 2FA at all. Remember, if your email is compromised then so are the accounts linked to that email address, and to which you may receive reset links, login codes and account warnings when attacks seek to bypass your security. You have been warned.
.
