Tag: Gmail

  • Gemini Mail Summaries Loophole: A Target for Phishing Attacks

    Gemini Mail Summaries Loophole: A Target for Phishing Attacks

    Key Takeaways

    1. Google introduced Gemini-enabled email summaries in Gmail to help users quickly grasp key points from long emails.
    2. A flaw in Gemini may allow hackers to perform prompt-injection phishing attacks, targeting users who rely on AI summaries.
    3. The vulnerability involves hiding harmful directives in email text by using invisible formatting, which Gemini would still process.
    4. An example showed that a hidden warning about a compromised password could mislead users into urgent actions.
    5. Potential solutions include developing detection techniques for concealed content and implementing filters to analyze Gemini’s output for suspicious elements.

    Google introduced Gemini-enabled email summaries in Gmail near the end of May, aiming to assist users in grasping the key points without having to sift through long paragraphs. Nonetheless, a flaw within Gemini could potentially allow hackers to execute a prompt-injection phishing attack, particularly targeting those who heavily rely on AI summaries for managing their emails.

    Research Findings

    This issue was discovered by Marco Figueroa, the GenAI Bug Bounty Programs Manager at Mozilla. The deceptive email may appear like a typical message filled with text, yet it could conceal a phishing scam that Gemini is unable to detect. The harmful directives can be embedded in the text body or placed immediately after by changing their font size to 0 and altering the color to white, rendering them invisible. Nevertheless, Gemini would still process that section of the email and act on the hidden instructions.

    Example of the Flaw

    For instance, Figueroa managed to hide a warning message within the email indicating that the user’s Gmail password was compromised, along with a support phone number. When the AI summarized the email, it displayed the warning at the end alongside an urgent suggestion to call the support number without delay. While this trick may not deceive everyone, some users might take action out of concern for their account security.

    Potential Solutions

    The researcher points out that security teams can introduce detection and mitigation techniques for content that has been concealed, allowing them to either eliminate or disregard the hidden content. Additionally, there could be post-processing filters that analyze Gemini’s output to identify URLs, urgent alerts, or phone numbers.

    BleepingComputer contacted Google about this Gemini vulnerability, and a representative indicated that some mitigation strategies are currently being worked on.

    Source:
    Link

    Gemini Mail Summaries Loophole: A Target for Phishing AttacksGemini Mail Summaries Loophole: A Target for Phishing Attacks
    Tags: , ,
  • Google Replaces SMS Authentication for Gmail Logins

    Google Replaces SMS Authentication for Gmail Logins

    Key Takeaways

    1. Google will replace SMS authentication for Gmail logins with QR code verification.
    2. The switch aims to enhance security by reducing vulnerabilities associated with SMS, which is often exploited by hackers.
    3. QR code validation is expected to mitigate phishing threats faced by Gmail users.
    4. Users will need to scan a QR code generated during login instead of receiving a 6-digit code via text.
    5. Further details about the rollout of this new system are unclear, but users can explore alternative secure methods in the meantime.

    Gmail logins are set to become more secure with a new initiative from Google.

    According to insider information, including insights from a top security spokesperson, Davey Winder of Forbes reports that Google plans to eliminate SMS authentication for Gmail access. Instead, the tech giant will transition to using QR codes to confirm logins for its free email platform.

    New Approach to Verification

    In a “privileged conversation” with sources within Google, Winder discovered that Gmail will implement QR codes for login verification to combat the issues associated with the outdated SMS system. SMS has long been known as an insecure communication method; hackers and malicious individuals have exploited it to spoof phones, phish for personal numbers, and intercept messages sent via SMS (including verification codes) for many years now.

    Ross Richendrfer, who oversees Google Workspace’s Security and Privacy PR, mentioned that switching to QR code validation will “reduce the phishing threat faced by Gmail users” and remove the security vulnerabilities tied to users’ mobile service providers. Rather than receiving a 6-digit code through a regular text message, users will be required to scan a QR code generated when they log in to their Gmail account on a new device. This change is expected to close off many paths that could be taken by cybercriminals to capture a login code.

    Future Details Still Unclear

    There is not much additional information available about this transition to QR codes. Notably, there is no indication of when this new practice will be rolled out, although Richendrfer advised Winder to “expect more from us shortly.” In the meantime, users can consider alternative secure methods such as passkeys or physical two-factor authentication devices (like the Yubikey 5C NFC USB-C key, which is priced at $55 on Amazon).

    Source:
    Link

    Tags: , ,
  • Beware: Fake Google Calendar Invites Are the Latest Phishing Scam

    Beware: Fake Google Calendar Invites Are the Latest Phishing Scam

    Fake Google Calendar invites that look like they’re from real sources are the latest trick used by scammers to collect personal info. By cleverly changing the email headers, these messages appear to come from official companies or acquaintances of the victim. While the attacks can take various forms, they all share a common element: a Google Calendar invite. Clicking on the link usually leads victims to a site designed to gather personal details, which the scammers can use to carry out further attacks or even request sensitive financial data directly.

    Rise in Attack Frequency

    Researchers have noted that these kinds of attacks have increased in recent weeks. Around 4,000 emails of this type have been sent to unsuspecting targets over a four-week span, impersonating more than 300 different brands. Email scanning tools found in services like Gmail and Microsoft Outlook started to detect these attacks at some point, prompting criminals to adapt their strategies. Now, the fake links might direct users to pages using Google Forms or Google Drawings, and may even feature a phony ReCaptcha screen. Ultimately, the goal is still to mislead the victim, who trusts the message’s supposed sender, into providing sensitive information that the attackers can exploit later.

    Recommendations for Users

    After being informed about this scheme, Google recommended that users take advantage of Gmail’s filtering rules and the "known senders" setting. These measures can help stop potential victims from accessing harmful emails in the first place. Until a more complete security solution is developed, the best defense is to stay alert and only click on links from trusted contacts or those that were expected to arrive.

    Check Point | Dark Reading

    Source: Link

    Tags: , ,
  • New AI Scam Calls Threaten Billions of Gmail Users: Experts Warn

    New AI Scam Calls Threaten Billions of Gmail Users: Experts Warn

    A surge in AI-driven scams is now aiming at Gmail users, and even experienced professionals are struggling to dodge them. These phishing schemes, which imitate Google support, are becoming increasingly clever, and it’s alarming when experts in the field raise the red flag. Sam Mitrovic, a consultant at Microsoft, recently recounted how he nearly fell prey to a very convincing scam phone call.

    The Start of a Deceptive Scheme

    It all began with what seemed like a normal notification about a Gmail account recovery. Mitrovic decided to ignore it, but about 40 minutes later, he received a call from someone claiming to be from Google support. The caller, who spoke with an American accent, inquired whether Mitrovic had logged in from Germany and asserted that someone had been accessing his account for a week. Although Mitrovic sidestepped the trap, he highlighted just how polished and believable the scam was, even replicating Google’s official phone numbers (in his case, an Australian number) to lend it more authenticity.

    Another Victim’s Close Call

    Garry Tan, a venture capitalist and the founder of Y Combinator, also alerted others about a similar phishing scheme. In his instance, the scam suggested that a family member had submitted a death certificate to retrieve his account. The AI-powered caller pressured Tan to confirm his identity in a manner that was meant to induce panic, similar to Mitrovic’s experience.

    These scams are evidently leveraging AI’s capability to mimic genuine conversations and fabricate real Google processes. The attackers are even utilizing tools like Google Forms to enhance the authenticity of their scams, tricking users into thinking the threat is genuine. Both Mitrovic and Tan caution that anyone, no matter their level of tech savvy, could be caught off guard by these advanced strategies—especially in the wrong moment or situation. Moreover, these scams are likely to become more challenging to identify as AI technology evolves.

    Google’s Response to the Threat

    To combat these dangers, Google has teamed up with the Global Anti-Scam Alliance and the DNS Research Federation to introduce the Global Signal Exchange. This initiative aims to share real-time information about scams across various sectors. Furthermore, Google’s Advanced Protection Program now includes support for passkeys, providing an additional layer of security that could determine whether you keep your account or lose it.

    Image 1
    Tags: , ,
  • In three weeks, Google plans to remove inactive Gmail accounts, warns company

    In three weeks, Google plans to remove inactive Gmail accounts, warns company

    Google Warns Inactive Gmail Users to Update or Lose Accounts

    Google has issued a three-week warning to inactive Gmail account holders to update their records or risk losing their accounts. The internet search giant plans to purge millions of Gmail accounts that have been inactive for up to two years, resulting in the permanent loss of emails, documents, photos, and videos.

    The removal of inactive Gmail accounts is part of a major update to the email service. All personal Gmail accounts that have been dormant for at least two years will be affected by the purge. The updated policy, which was introduced this year, is expected to take effect by December 2023. Google is updating its inactivity policy for Google Accounts to two years across all Google products. Additionally, the policy limits the amount of time that Google can retain unused personal information from dormant accounts.

    Enhancing User Safety

    The move by Google to delete inactive Google accounts has positive safety implications. It is expected to protect active Google users from security threats like phishing, account hijacking, and scams. Dormant Google accounts are at a higher risk of being compromised by hackers. Google will send multiple notifications to affected inactive or dormant Gmail account holders before taking any action.

    Notifications will also be sent to the attached recovery email address of affected accounts. Google has already begun sending emails to the affected accounts. Account holders facing the risk of account deletion can prevent it by performing various actions, such as sending or opening an email, accessing Google Drive, downloading an app from the Google Play Store, or simply conducting a Google search while logged into the account.

    Protection for YouTube Users

    Gmail has grown into a massive email platform with a ubiquitous appeal. Google has stated that any account that has posted a YouTube video will not be impacted by the account purge, regardless of its last activity date.

    Tags: ,