Send Link mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.anu.edu.au/mailman/listinfo/link
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Link digest..."
Today's Topics:
1. Google Advanced Protection Program (Stephen Loosley)
2. Re: Google Advanced Protection Program (Philip N Argy)
----------------------------------------------------------------------
Message: 1
Date: Mon, 14 Oct 2024 22:27:47 +1030
From: Stephen Loosley <[email protected]>
To: "link" <[email protected]>
Subject: [LINK] Google Advanced Protection Program
Message-ID: <[email protected]>
Content-Type: text/plain; charset="UTF-8"
New Gmail Security Alert For 2.5 Billion Users As AI Hack Confirmed
By Davey Winder Oct 13, 2024
https://www.forbes.com/sites/daveywinder/2024/10/13/new-gmail-security-alert-for-billions-as-7-day-ai-hack-confirmed/
(Update, Oct. 13, 2024: This story, originally published Oct. 11, includes
details of a new Google anti-scam alliance initiative, a new warning about
legitimate-looking support scams and details of Google?s Advanced Protection
Program to protect high-risk accounts.)
Google has implemented increasingly sophisticated protections against those who
would compromise your Gmail account?but hackers using AI-driven attacks are
also evolving.
According to Google?s own figures, there are currently more than 2.5 billion
users of the Gmail service. No wonder, then, that it is such a target for
hackers and scammers. Here?s what you need to know.
The Latest AI-Driven Gmail Attack Is Scary Good
Sam Mitrovic, a Microsoft solutions consultant, has issued a warning after
almost falling victim to what is described as a ?super realistic AI scam call?
capable of tricking even the most experienced of users.
It all started a week before Mitrovic realized the sophistication of the attack
that was targeting him.
?I received a notification to approve a Gmail account recovery attempt,?
Mitrovic recounts in a blog post warning other Gmail users of the threat in
question. The need to confirm an account recovery, or a password reset, is a
notorious phishing attack methodology intended to drive the user to a fake
login portal where they need to enter their credentials to report the request
as not initiated by them.
Unsurprisingly, then, Mitrovic wasn?t falling for this and ignored the
notification that appeared to originate from the U.S. and a missed phone call,
pertaining to be from Google in Sydney, Australia, some 40 minutes later. So
far, so relatively straightforward and easy to avoid.
Then, almost exactly a week later, the fun started in earnest?another
notification request for account recovery approval followed by a telephone call
40 minutes later. This time, Mitrovic didn?t miss the call and instead picked
up: an American voice, claiming to be from Google support, confirmed that there
was suspicious activity on the Gmail account.
?He asks if I?m traveling,? Mitrovic said, ?when I said no, he asks if I logged
in from Germany, to which I reply no.? All of this to engender trust in the
caller and fear in the recipient. This is when things turned dark fast and
really rather clever in the overall scheme of phishing things.
The so-called Google support person informed Mitrovic that an attacker had
accessed his Gmail account for the past 7 days, and had already downloaded
account data. This rang alarm bells as Mitrovic recalled the recovery
notification and missed call from a week earlier.
Googling the phone number he was being called from while speaking, Mitrovic
discovered that it did, indeed, lead to Google business pages.
This alone is a clever tactic likely to fool plenty of unsuspecting users
caught up in the panic of the moment, as it wasn?t a Google support number but
rather about getting calls from Google Assistant. ?At the start of the call,
you'll hear the reason for the call and that the call is from Google. You can
expect the call to come from an automated system or, in some cases, a manual
operator,? the 100% genuine page helpfully informs the reader.
Garry Tan, the founder of venture capital firm and startup accelerator Y
Combinator, has taken to X, formerly known as Twitter, to issue a warning about
another phishing scam that he described as being ?pretty elaborate? which also
leverages AI so as to present itself as believable.
Once again, as with the scam that almost fooled Sam Mitrovic, a security
consultant remember, this latest warning concerns contact from a so-called
Google support technician. I wouldn?t go as far as one commenter on X who
suggested the giveaway was that Google doesn?t have any support for users, but
it?s not that too far from the truth when it comes to these scams: Google
support will not contact you out of the blue like this. ?Do not click yes on
this dialog,? Tan warned, ?you will be phished.?
In the case of the scam that targeted Tan, the supposed Google support person
claimed that the company had received a death certificate and a family member
was attempting to recover his account. The caller, in other words, and only AI
could be this stupid, was checking that the person answering was alive.
?It's a pretty elaborate ploy to get you to allow password recovery,? Tan went
on to warn, but spotted that the account recovery screen he was presented with
had a device field that displayed the name of a Google support worker rather
than an actual device used to access the account.
Tan suggested that whoever designed the interface for recovery should be
employing some pretty basic regular expression checks, or even AI-based fraud
detection, on the text field in question. ?It's trivial to check the device
name for this,? he concluded. Part of the scam involved getting Tan to re-add
his cellphone number as part of the verification process to trigger an account
recovery dialog. Tan was, however, wise to this: ?I?ve been SIM swapped, so
know not to have my cell on my accounts ever,? Tan explained.
Using Google Forms To Make Contact Appear Legitimate
Fraudsters have also been seen abusing Google Forms, a free online tool that is
part of Google Workspace, to create legitimate looking documents sent as part
of support scams. By sending a copy of the form to the target address, using
the response receipt option of Google Forms, the document is sent via genuine
Google servers which adds legitimacy to the scam. Checking the email will show
it as being from [email protected] for example, which acts to lower
any red flags the recipient might have had.
One such scam used such a form to mimic an account recovery password reset
form, telling the target they would get a SMS notification from a named support
agent and giving them the number to check. This double-legitimacy method is
enough to fool plenty of people, lots of the time. In this case, the slip-up,
and only then if the person on the receiving end was savvy enough to realize,
was a confusingly complex and overlong password reset process.
Lessons To Be Learned From These Google Support Hack Near Misses
Mitrovic did the right thing, or at least the next best thing to hanging up,
and asked the supposed support guy to send an email confirmation?an email which
arrived soon after, from a Google domain and looking for all intents and
purposes genuine. AT this point he noticed the to field contained a cleverly
disguised address that wasn?t actually a Google domain but could, once again,
easily fool those not of a technical bent.
The real giveaway for Mitrovic, however, was when the caller said hello and
after no response said hello again. ?At this point I released it as an AI voice
as the pronunciation and spacing were too perfect,? Mitrovic said.
It?s well worth reading the original blog from Mitrovic as it contains much
more technical detail and detective work that I don?t have the space to cover
in this report.
Knowledge is everything, and the threat intelligence provided by this
consultant is genuinely invaluable for anyone who might find themselves in a
similar situation: forearmed is forewarned.
It?s almost a certainty that the attacker would have continued to a point where
the so-called recovery process would be initiated, in truth this would be a
cloned login portal capturing user credentials and likely the use of some kind
of session cookie stealing malware to bypass two-factor authentication if that
was in place.
Google Launches The Global Signal Exchange To Fight Scammers
Google has announced that it has joined forces with the Global Anti-Scam
Alliance and the DNS Research Federation to form a new initiative in the battle
against scammers. The Global Signal Exchange will act as an
intelligence-sharing platform when it comes to scams and fraud, providing
real-time insight into the cybercrime supply chain. As the first founding
member of the Global Signal Exchange, Google hopes that the platform will
become, in effect, a global clearinghouse for the kind of intelligence signals
that are connected to bad actors and their attacks.
Amanda Storey, senior director of trust and safety at Google said that the
collaboration ?leverages the strengths of each partner.? With GASA having an
extensive existing network of interested stakeholders and the DNS Research
Foundation a data platform with more than 40 million existing signals, ?GSE
aims to improve the exchange of abuse signals, enabling faster identification
and disruption of fraudulent activities across various sectors, platforms and
services.?
The ultimate goal, Google confirmed, is to create a solution that not only
operates at the almost unthinkable scale of the internet itself but does so in
an efficient and, above all, user-friendly way. This means that qualifying
organizations will be able to use it to hit back at scammers.
Google already has plenty of experience in this field, with a long-established
history of entering into partnerships to help fight fraud. Indeed, as part of
the testing of the new Global Signal Exchange, Google shared more than 100,000
malicious URLs and consumed a staggering million scam signals for analysis.
?We'll start by sharing Google Shopping URLs that we have actioned under our
scams policies,? Nafis Zebarjadi, Google?s account security product manager
said, ?and as we gain experience from the pilot, we will look to add data soon
from other relevant Google product areas.?
The Global Signal Exchange, or at least the engine that drives it, runs on the
Google Cloud to enable all participants to share and consume intelligence
signals while ?benefiting from Google Cloud Platform's Al capabilities to find
patterns and match signals smartly,? Storey concluded.
Staying Safe From The Most Advanced Of Gmail Scams
AI deepfakes are not just used for porn and politics, they are used to
perpetrate seemingly straightforward account takeovers such as in this case.
Stay calm if you are approached by someone claiming to be from Google support,
they won?t phone you so there?s a massive red flag right away, and no harm will
come to you if you hang up.
Use the tools at your disposal, ironically Google search itself and your Gmail
account, to make checks during the call if you are concerned its could be
genuine and ignoring it could cause harm. Search for the phone number, see
where it?s really coming from. Check your Gmail activity to see what, if any,
devices other than your own have been using the account. Take note of what
Google says about staying safe from attackers using Gmail phishing scams. Most
importantly, never let yourself be rushed into making a knee-jerk reaction, no
matter how much urgency is injected into a conversation.
It?s that sense of urgency that the attackers rely upon to swerve your normal
good judgement and click a link or give up credentials.
I would also advise considering enrolment into Google?s Advanced Protection
Program, designed for users such as journalists, activists and politicians who
may be thought of as high-risk account holders.
One of the downsides of the Advanced Protection Program had always been that it
required the purchase of not one, but two hardware security keys to use when
signing into the account. The financial burden was lifted recently earlier in
the year when Google announced that passkey support was coming to Advanced
Protection Program users.
The combination of the protections brought by both of these technologies makes
it something of a no-brainer for most people with a Google account, including
all Gmail users.
Here?s why. Signing into Google on any device requires the passkey when first
used, which means that even if a hacker had got your username and account,
without the device that passkey is stored on (your smartphone) and your
biometrics needed to verify it, they could not sign in.
Using this in conjunction with Advanced Protection Program enrolment, which
restricts most non-Google apps and services from accessing your Gmail account
data, also makes phished password and account recovery much harder to pull off.
?If anyone tries to recover your account,? a Google spokesperson said,
?Advanced Protection takes extra steps to verify your identity.?
This means that it can take a few days to verify that you are who you say and
get access to your Google account back. But it means that hackers can?t just
scam their way into it either.
--
------------------------------
Message: 2
Date: Mon, 14 Oct 2024 14:45:25 +0000
From: Philip N Argy <[email protected]>
To: "[email protected]" <[email protected]>
Subject: Re: [LINK] Google Advanced Protection Program
Message-ID:
<sy4p282mb36150033cea9982663911b16d1...@sy4p282mb3615.ausp282.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
The sooner we get a reliable government-supported global public key lookup
table (as ubiquitous as the DNS itself) the sooner everyone will be able to use
signed emails by default. It won't prevent scammers from getting a digital
credential but it will reduce some of the easy scams like sender email spoofing.
Philip Argy
-----Original Message-----
From: Link <[email protected]> On Behalf Of Stephen Loosley
Sent: Monday, 14 October 2024 22:58
To: link <[email protected]>
Subject: [LINK] Google Advanced Protection Program
New Gmail Security Alert For 2.5 Billion Users As AI Hack Confirmed
By Davey Winder Oct 13, 2024
https://www.forbes.com/sites/daveywinder/2024/10/13/new-gmail-security-alert-for-billions-as-7-day-ai-hack-confirmed/
(Update, Oct. 13, 2024: This story, originally published Oct. 11, includes
details of a new Google anti-scam alliance initiative, a new warning about
legitimate-looking support scams and details of Google?s Advanced Protection
Program to protect high-risk accounts.)
Google has implemented increasingly sophisticated protections against those who
would compromise your Gmail account?but hackers using AI-driven attacks are
also evolving.
According to Google?s own figures, there are currently more than 2.5 billion
users of the Gmail service. No wonder, then, that it is such a target for
hackers and scammers. Here?s what you need to know.
The Latest AI-Driven Gmail Attack Is Scary Good
Sam Mitrovic, a Microsoft solutions consultant, has issued a warning after
almost falling victim to what is described as a ?super realistic AI scam call?
capable of tricking even the most experienced of users.
It all started a week before Mitrovic realized the sophistication of the attack
that was targeting him.
?I received a notification to approve a Gmail account recovery attempt,?
Mitrovic recounts in a blog post warning other Gmail users of the threat in
question. The need to confirm an account recovery, or a password reset, is a
notorious phishing attack methodology intended to drive the user to a fake
login portal where they need to enter their credentials to report the request
as not initiated by them.
Unsurprisingly, then, Mitrovic wasn?t falling for this and ignored the
notification that appeared to originate from the U.S. and a missed phone call,
pertaining to be from Google in Sydney, Australia, some 40 minutes later. So
far, so relatively straightforward and easy to avoid.
Then, almost exactly a week later, the fun started in earnest?another
notification request for account recovery approval followed by a telephone call
40 minutes later. This time, Mitrovic didn?t miss the call and instead picked
up: an American voice, claiming to be from Google support, confirmed that there
was suspicious activity on the Gmail account.
?He asks if I?m traveling,? Mitrovic said, ?when I said no, he asks if I logged
in from Germany, to which I reply no.? All of this to engender trust in the
caller and fear in the recipient. This is when things turned dark fast and
really rather clever in the overall scheme of phishing things.
The so-called Google support person informed Mitrovic that an attacker had
accessed his Gmail account for the past 7 days, and had already downloaded
account data. This rang alarm bells as Mitrovic recalled the recovery
notification and missed call from a week earlier.
Googling the phone number he was being called from while speaking, Mitrovic
discovered that it did, indeed, lead to Google business pages.
This alone is a clever tactic likely to fool plenty of unsuspecting users
caught up in the panic of the moment, as it wasn?t a Google support number but
rather about getting calls from Google Assistant. ?At the start of the call,
you'll hear the reason for the call and that the call is from Google. You can
expect the call to come from an automated system or, in some cases, a manual
operator,? the 100% genuine page helpfully informs the reader.
Garry Tan, the founder of venture capital firm and startup accelerator Y
Combinator, has taken to X, formerly known as Twitter, to issue a warning about
another phishing scam that he described as being ?pretty elaborate? which also
leverages AI so as to present itself as believable.
Once again, as with the scam that almost fooled Sam Mitrovic, a security
consultant remember, this latest warning concerns contact from a so-called
Google support technician. I wouldn?t go as far as one commenter on X who
suggested the giveaway was that Google doesn?t have any support for users, but
it?s not that too far from the truth when it comes to these scams: Google
support will not contact you out of the blue like this. ?Do not click yes on
this dialog,? Tan warned, ?you will be phished.?
In the case of the scam that targeted Tan, the supposed Google support person
claimed that the company had received a death certificate and a family member
was attempting to recover his account. The caller, in other words, and only AI
could be this stupid, was checking that the person answering was alive.
?It's a pretty elaborate ploy to get you to allow password recovery,? Tan went
on to warn, but spotted that the account recovery screen he was presented with
had a device field that displayed the name of a Google support worker rather
than an actual device used to access the account.
Tan suggested that whoever designed the interface for recovery should be
employing some pretty basic regular expression checks, or even AI-based fraud
detection, on the text field in question. ?It's trivial to check the device
name for this,? he concluded. Part of the scam involved getting Tan to re-add
his cellphone number as part of the verification process to trigger an account
recovery dialog. Tan was, however, wise to this: ?I?ve been SIM swapped, so
know not to have my cell on my accounts ever,? Tan explained.
Using Google Forms To Make Contact Appear Legitimate
Fraudsters have also been seen abusing Google Forms, a free online tool that is
part of Google Workspace, to create legitimate looking documents sent as part
of support scams. By sending a copy of the form to the target address, using
the response receipt option of Google Forms, the document is sent via genuine
Google servers which adds legitimacy to the scam. Checking the email will show
it as being from [email protected] for example, which acts to lower
any red flags the recipient might have had.
One such scam used such a form to mimic an account recovery password reset
form, telling the target they would get a SMS notification from a named support
agent and giving them the number to check. This double-legitimacy method is
enough to fool plenty of people, lots of the time. In this case, the slip-up,
and only then if the person on the receiving end was savvy enough to realize,
was a confusingly complex and overlong password reset process.
Lessons To Be Learned From These Google Support Hack Near Misses
Mitrovic did the right thing, or at least the next best thing to hanging up,
and asked the supposed support guy to send an email confirmation?an email which
arrived soon after, from a Google domain and looking for all intents and
purposes genuine. AT this point he noticed the to field contained a cleverly
disguised address that wasn?t actually a Google domain but could, once again,
easily fool those not of a technical bent.
The real giveaway for Mitrovic, however, was when the caller said hello and
after no response said hello again. ?At this point I released it as an AI voice
as the pronunciation and spacing were too perfect,? Mitrovic said.
It?s well worth reading the original blog from Mitrovic as it contains much
more technical detail and detective work that I don?t have the space to cover
in this report.
Knowledge is everything, and the threat intelligence provided by this
consultant is genuinely invaluable for anyone who might find themselves in a
similar situation: forearmed is forewarned.
It?s almost a certainty that the attacker would have continued to a point where
the so-called recovery process would be initiated, in truth this would be a
cloned login portal capturing user credentials and likely the use of some kind
of session cookie stealing malware to bypass two-factor authentication if that
was in place.
Google Launches The Global Signal Exchange To Fight Scammers
Google has announced that it has joined forces with the Global Anti-Scam
Alliance and the DNS Research Federation to form a new initiative in the battle
against scammers. The Global Signal Exchange will act as an
intelligence-sharing platform when it comes to scams and fraud, providing
real-time insight into the cybercrime supply chain. As the first founding
member of the Global Signal Exchange, Google hopes that the platform will
become, in effect, a global clearinghouse for the kind of intelligence signals
that are connected to bad actors and their attacks.
Amanda Storey, senior director of trust and safety at Google said that the
collaboration ?leverages the strengths of each partner.? With GASA having an
extensive existing network of interested stakeholders and the DNS Research
Foundation a data platform with more than 40 million existing signals, ?GSE
aims to improve the exchange of abuse signals, enabling faster identification
and disruption of fraudulent activities across various sectors, platforms and
services.?
The ultimate goal, Google confirmed, is to create a solution that not only
operates at the almost unthinkable scale of the internet itself but does so in
an efficient and, above all, user-friendly way. This means that qualifying
organizations will be able to use it to hit back at scammers.
Google already has plenty of experience in this field, with a long-established
history of entering into partnerships to help fight fraud. Indeed, as part of
the testing of the new Global Signal Exchange, Google shared more than 100,000
malicious URLs and consumed a staggering million scam signals for analysis.
?We'll start by sharing Google Shopping URLs that we have actioned under our
scams policies,? Nafis Zebarjadi, Google?s account security product manager
said, ?and as we gain experience from the pilot, we will look to add data soon
from other relevant Google product areas.?
The Global Signal Exchange, or at least the engine that drives it, runs on the
Google Cloud to enable all participants to share and consume intelligence
signals while ?benefiting from Google Cloud Platform's Al capabilities to find
patterns and match signals smartly,? Storey concluded.
Staying Safe From The Most Advanced Of Gmail Scams
AI deepfakes are not just used for porn and politics, they are used to
perpetrate seemingly straightforward account takeovers such as in this case.
Stay calm if you are approached by someone claiming to be from Google support,
they won?t phone you so there?s a massive red flag right away, and no harm will
come to you if you hang up.
Use the tools at your disposal, ironically Google search itself and your Gmail
account, to make checks during the call if you are concerned its could be
genuine and ignoring it could cause harm. Search for the phone number, see
where it?s really coming from. Check your Gmail activity to see what, if any,
devices other than your own have been using the account. Take note of what
Google says about staying safe from attackers using Gmail phishing scams. Most
importantly, never let yourself be rushed into making a knee-jerk reaction, no
matter how much urgency is injected into a conversation.
It?s that sense of urgency that the attackers rely upon to swerve your normal
good judgement and click a link or give up credentials.
I would also advise considering enrolment into Google?s Advanced Protection
Program, designed for users such as journalists, activists and politicians who
may be thought of as high-risk account holders.
One of the downsides of the Advanced Protection Program had always been that it
required the purchase of not one, but two hardware security keys to use when
signing into the account. The financial burden was lifted recently earlier in
the year when Google announced that passkey support was coming to Advanced
Protection Program users.
The combination of the protections brought by both of these technologies makes
it something of a no-brainer for most people with a Google account, including
all Gmail users.
Here?s why. Signing into Google on any device requires the passkey when first
used, which means that even if a hacker had got your username and account,
without the device that passkey is stored on (your smartphone) and your
biometrics needed to verify it, they could not sign in.
Using this in conjunction with Advanced Protection Program enrolment, which
restricts most non-Google apps and services from accessing your Gmail account
data, also makes phished password and account recovery much harder to pull off.
?If anyone tries to recover your account,? a Google spokesperson said,
?Advanced Protection takes extra steps to verify your identity.?
This means that it can take a few days to verify that you are who you say and
get access to your Google account back. But it means that hackers can?t just
scam their way into it either.
--
_______________________________________________
Link mailing list
[email protected]
https://mailman.anu.edu.au/mailman/listinfo/link
------------------------------
Subject: Digest Footer
_______________________________________________
Link mailing list
[email protected]
https://mailman.anu.edu.au/mailman/listinfo/link
------------------------------
End of Link Digest, Vol 383, Issue 20
*************************************
