WARNING: Gmail users beware! Hackers have a new trick up their sleeve!

Are you a Gmail user? We have some important news for you! Hackers have yet again found a new way to trick people and steal confidential information from their Gmail accounts.

Gmail is one of the most popular email services, and it comes with a range of features that keep people’s records safe. However, hackers have always been trying to find their way into hacking accounts for their own benefit. The new trick that they have found is called ‘OAuth phishing.’ This trick has gotten pretty good at forging the notifications from Google that a user’s consent is needed to access Google services. The OAuth method is used to allow third-party apps to access users’ Google accounts.

The phishing scam arrives by email, in the form of a message that claims to be from Google. The email will tell you that a third-party app is requesting authorization to access your Google account. When the user clicks the link allowing the authorization, they are taken to a fraudulent Google login page that is the spitting image of the original. Sadly, the illegitimate login page will then pass on the user’s credentials to the hackers, who will gain access to the user’s account.

This trick is not limited to Gmail users, and it can be used against any service that utilizes Google’s OAuth technology. It might seem hard to tell the difference between the controlled login screen and the hoax one, but some things can help differentiate the two.

One of the most visible differences would be the URL of the page. Google’s real login page is an HTML web traffic that is https://accounts.google.com. The fake URL will differ slightly.

Another vital thing is that the email messages’ sender ought to be scrutinized intently. Google requires that third-party services use this to support linking users their Google accounts. Accordingly, the message may state that the email sender is an authorized Gmail application or developer. Almost all Google applications use this. The general rule is to never click on any links in messages from strangers or people you do not recognize. One should always hover over the URL of any message offering to link a third-party service to their Google account to verify that it appears to be an authorized Google application. This step will not ensure that a fake login screen does not eventually appear because the screen can be hosted on a legitimate website that has already been compromised.

Whatever the case may be, it’s always a good practice to be cautious of the sites and emails that you visit and receive. Always study the email messages and authentication requests thoroughly in case of foul play to keep yourself protected.

Just because that email has the right name and a correct email address doesn’t mean it’s legitimate.

  • Cybersecurity researchers have noticed an uptick in phishing emails from legitimate email addresses.They claim these fake messages take advantage of a flaw in a popular Google service and lax security measures by the impersonated brands.Keep watch for tell-tale signs of phishing, even when the email appears to be from a legitimate contact, suggest experts.

According to cybersecurity sleuths at Avanan, phishing actors have found a way to abuse Google’s SMTP relay service, which allows them to spoof any Gmail address, including those of popular brands. The novel attack strategy lends legitimacy to the fraudulent email, letting it fool not just the recipient but also automated email security mechanisms. 

“Threat actors are always looking for the next available attack vector and reliably find creative ways to bypass security controls like spam filtering,” Chris Clements, VP Solutions Architecture at Cerberus Sentinel, told Lifewire over email. “As the research states, this attack utilized the Google SMTP relay service, but there has been a recent uptick in attackers leveraging ’trusted’ sources.”

Don’t Trust Your Eyes

Google offers an SMTP relay service that’s used by Gmail and Google Workspace users to route outgoing emails. The flaw, according to Avanan, enabled phishers to send malicious emails by impersonating any Gmail and Google Workspace email address. During two weeks in April 2022, Avanan noticed nearly 30,000 such fake emails. 

In an email exchange with Lifewire, Brian Kime, VP, Intelligence Strategy and Advisory at ZeroFox, shared that businesses have access to several mechanisms, including DMARC, Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM), which essentially help receiving email servers reject spoofed emails and even report the malicious activity back to the impersonated brand.

“Trust is huge for brands. So huge that CISOs are increasingly tasked with leading or helping a brand’s trust efforts,” shared Kime.

When in doubt, and you should almost always be in doubt, [people] should always use trusted paths… instead of clicking links…

However, James McQuiggan, security awareness advocate at KnowBe4, told Lifewire over email that these mechanisms aren’t as widely used as they should be, and malicious campaigns such as the one reported by Avanan take advantage of such laxity. In their post, Avanan pointed to Netflix, which used DMARC and wasn’t spoofed, while Trello, which doesn’t use DMARC, was.

When in Doubt

Clements added that while the Avanan research shows the attackers exploited the Google SMTP relay service, similar attacks include compromising an initial victim’s email systems and then using that for further phishing attacks on their entire contact list.

This is why he suggested people looking to remain safe from phishing attacks should employ multiple defensive strategies.

For starters, there’s the domain name spoofing attack, where cybercriminals use various techniques to hide their email address with the name of someone the target may know, like a family member or superior from the workplace, expecting them not to go out of their way to ensure that the email is coming from the disguised email address, shared McQuiggan. 

“People shouldn’t blindly accept the name in the ‘From’ field,” warned McQuiggan, adding that they should at least go behind the display name and verify the email address. “If they are unsure, they can always reach out to the sender via a secondary method like text or phone call to verify the sender meant to send the email,” he suggested.

However, in the SMTP relay attack described by Avanan trusting an email by looking at the sender’s email address alone isn’t enough since the message will appear to come from a legitimate address.

“Fortunately, that’s the only thing that differentiates this attack from normal phishing emails,” pointed Clements. The fraudulent email will still have the tell-tale signs of phishing, which is what people should look for. 

For instance, Clements said that the message might contain an unusual request, especially if it’s conveyed as an urgent matter. It would also have several typos and other grammatical mistakes. Another red flag would be links in the email that don’t go to the sender organization’s usual website. 

“When in doubt, and you should almost always be in doubt, [people] should always use trusted paths such as going directly to the company’s website or calling the support number listed there to verify, instead of clicking links or contacting phone numbers or emails listed in the suspicious message,” advised Chris.

Get the Latest Tech News Delivered Every Day