Can scammers get any more clever?
Bad actors are now manipulating a Google Drive feature to launch phishing links through automated email notifications from Google, according to a WIRED report. By mentioning a Google user in a Drive document, the scammers prompt Google to generate a notification that will be sent straight to the user’s inbox, bypassing spam filters.
“The smartest part of the scam is that the emails and notifications it generates come directly from Google,” WIRED explains. “On mobile, the scam uses the collaboration feature in Google Drive to generate a push notification inviting people to collaborate on a document. If tapped, the notification takes you directly to a document that contains a very large, tempting link. An email notification created by the scam, which also comes from Google, also contains a potentially malicious link. Unlike regular spam, which Gmail does a pretty good job of filtering out, this message not only makes it into your inbox, it gets an added layer of legitimacy by coming from Google itself.”
WIRED states this scam has been observed frequently over the past few weeks, so users should be on the lookout.
“The scammers are working their way through a huge list of Gmail accounts, with scores of people reporting similar versions of the attack in recent weeks,” WIRED says.
Google said it’s working on new ways to detect malicious activity, but David Emm, a principal security researcher Kaspersky, told WIRED that this could be a challenge.
“It’s difficult for Google to do anything if the notification is coming from a legitimate account, which is, of course, easy to create,” Emm said. “Avoid clicking on unsolicited links of any kind when sent from unknown sources. If you weren’t expecting to receive it and don’t know the sender, don’t respond.”
In this case, the messages are clumsily written and would make many users suspicious. However, a more talented attacker could easily craft a much more convincing scam using this method. This attack is particularly insidious in the organizational context, where co-workers commonly share their work product using Google Docs. New-school security awareness training can help your employees avoid falling for new and unexpected phishing techniques.
See WIRED for the full story.
Image Source: https://www.pexels.com/photo/light-smartphone-macbook-mockup-67112/