Urgent warning to all 1.8b Gmail users over 'sophisticated' attack stealing personal information
Google has confirmed a 'sophisticated' attack on 1.8 billion Gmail users' data, prompting the tech giant to issue an urgent warning.
The phishing scam was first reported by Nick Johnson, a developer for the cryptocurrency platform Ethereum.
'Recently I was targeted by an extremely sophisticated phishing attack,' Johnson posted on X Wednesday.
'It exploits a vulnerability in Google's infrastructure, and given their refusal to fix it, we're likely to see it a lot more,' he said.
Johnson shared a screenshot of the email he received, which appeared to come from a legitimate Google address and said he had been served with a subpoena for his Google account, which would require him to hand over access.
'The only hint it's a phish is that it's hosted on sites.google.com instead of accounts.google.com,' Johnson said.
Clicking the fraudulent link in the email took him to a 'very convincing 'support portal' page.' He then clicked 'Upload additional documents' and 'View case,' and both links took him to 'exact duplicates' of legitimate Google pages.
These pages asked Johnson to sign into his Google account. 'From there, presumably, they harvest your login credentials and use them to compromise your account; I haven't gone further to check,' he explained.
Google has confirmed a 'sophisticated' attack on 1.8 billion Gmail users data , prompting the tech giant to issue an urgent warning
He noted that the nefarious email passed the DKIM signature check, which is used to verify that parts of an email haven't been altered on its way to your inbox, and that Gmail displayed it without any warnings.
'It even puts it in the same conversation as other, legitimate security alerts, he added.
In a statement to DailyMail.com, a Google spokesperson said: 'We're aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse.
'In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.'
The company added that it has shut down the mechanism that allowed this method of attack to work, and recently shared guidance on spotting and avoiding email scams.
'Google will not ask for any of your account credentials — including your password, one-time passwords, confirm push notifications, etc. — and Google will not call you.'
Phishing attacks like this one aim to get users to share their personal information with hackers, which they can use to steal victims' identity or money.
The goal is to make the devious message appear as legitimate as possible to trick users into believing they're sharing their information with a trusted entity.
The phishing scam was first reported by Nick Johnson, a developer for the cryptocurrency platform Ethereum
That's why the hackers behind this Gmail attack used Google Sites to craft their scam, 'because they know people will see the domain is http://google.com and assume it's legit,' Johnson explained.
If you use a password to log into your Gmail account, then unwittingly share it with a hacker, there's nothing stopping them from breaking in. It's as simple as using your password and a 2FA code on their own device to access the account.
But using a passkey and 2FA makes it much harder for hackers to break in.
A passkey is a system-generated, highly secure login code cannot easily be guessed, stolen or phished.
It only works on the physical device it's linked to, which means hackers can't use it to gain access to your account on their devices.
In addition to swapping your password for a passkey, you can learn to spot the telltale signs of a phishing attack to protect your online accounts.
Even though these scams are getting harder to identify, there are some details that will give them away.
Phishing messages typically use a generic greeting, inform you that there is an urgent issue that cannot be resolved without your action, and invite you to click on a link.
Phishing messages typically use a generic greeting, inform you that there is an urgent issue that cannot be resolved without your action, and invite you to click on a link
While legitimate companies like Google may communicate with users via email, they won't send you a link to resolve issues like updating your login or payment information.
Since this most recent phishing scam tricks users into thinking a government or legal agency has requested their account information, it's important to know that Google will actually notify users of this type of request via email, according to their Privacy and Terms page.
'When we receive a request from a government agency, we send an email to the user account before disclosing information. If the account is managed by an organization, we'll give notice to the account administrator,' it states.
'We won't give notice when legally prohibited under the terms of the request. We'll provide notice after a legal prohibition is lifted, such as when a statutory or court-ordered gag period has expired.'
Therefore, it can be difficult to tell the difference between a legitimate subpoena and a fraudulent one.
In general, Google warns users to 'be careful anytime you receive a message from a site asking for personal information.
'If you get this type of message, don't provide the information requested without confirming that the site is legitimate.
'If possible, open the site in another window instead of clicking the link in your email. Google will never send unsolicited messages asking for your password or other personal information.'
Scientists reveal how the stone sealing Jesus' tomb COULD have been moved - including during an earthquake 
