
Update, Feb. 1, 2025: This story, actually published Jan. 30, has been updated with additional prevention advice for spotting algorithmic AI-powered threats, a statement from Google about the complex Gmail attack, and a comment from a content control security expert.
Hackers , images being used in novel episodes, and even permanent 2FA-bypass risks against Google customers have been reported. What a time to become alive if you are a legal hacker, although calling this latest terrible hacker intact is a stretch: become warned, this destructive AI wants your Google credentials.
Victim Declares the most powerful phishing attack I’ve actually seen as the most recent Gmail threat.
Imagine being called from a variety with a Facebook caller ID from an American support representative to warn you that someone had hacked into your Google account, which has since been partially blocked. Think that support representative sending an email to your Gmail account to verify this, as requested by you, and sent using a legitimate Google website. Imagine asking the phone number to verify that it was true by requesting a call back. After explaining that it was on Google .com, they concurred and suggested there might be a waiting period. You checked and it was listed, so you didn’t make that call. Imagine receiving a code from Google that will allow you to regain control of your account and practically taking control over it. Luckily, by this stage , founder of Hack Club and the person who almost fell victim, had sussed it was an AI-driven attack, albeit a very clever a however.
If this sounds familiar, that’s because it is: I initially warned about like AI-powered attacks against Google users on Oct. 11 in . The strategy is nearly identical, but the message to all 2.5 billion Email users is the same: get aware of the threat and stay alert for the entire duration.
“Cybercriminals are constantly developing new tactics, techniques, and procedures to exploit vulnerabilities and bypass security controls, and companies must be able to quickly adapt and respond to these threats”, Spencer Starkey, a vice-president at SonicWall, said,” This requires a proactive and flexible approach to security, which includes regular security assessments, risk knowledge, risk management, and incident response planning”.
Mitigating The AI-Attacks Against Your Gmail Account Credentials
When talking about these extremely sophisticated AI attacks, all the conventional phishing mitigation advice is ignored, at least for a large portion. ” She sounded like a real engineer, the connection was super clear, and she had an American accent”, Latta said. This contrasts with the description in my October story when the attacker was described as being” super realistic,” even though there was a pre-attack phase during which notifications of compromise were sent seven days earlier to set the target for the call.
The first target was a security consultant, which likely prevented them from falling prey to the AI attack, and the most recent potential victim is the founder of a hacking club. How can you stay safe since you may not have nearly as much technical experience as these two, who both almost succumbed?
” Due to the speed at which new attacks are being created, they are more adaptive and difficult to detect, which poses an additional challenge for cybersecurity professionals”, Starkey said,” From a high-level business perspective, they must look to constantly monitor their network for suspicious activity, using security tools to detect where logins are occurring and on what devices”.
For everyone else, consumers especially, stay calm if you are approached by someone claiming to be from Google support, and hang up, as they won’t call you.
Use sources like Google and your Gmail account to look up that phone number and to check if anyone who is unfamiliar with your account has accessed it if in doubt. Use the web client to scroll to the bottom of the screen, where a link will appear at the bottom right to show all of your recent activity. Finally, pay particular attention to what Google says about protecting yourself from hackers who use Gmail to phish phishing scam hacks.
The Advanced Protection Program, And Google Passkeys, Can Help Keep Your Gmail Account Secure
When it comes to one particular feature that Google offers to help protect your Gmail account from targeted attacks, such as the highly sophisticated AI-powered threat covered in this article, I am somewhat of an evangelist. Despite Google’s best efforts, and the media’s best efforts, to promote that feature over the years, yes, years, that it has been available, it is not as well-known as it should be. I’m talking about the , which is designed for high-risk account holders such as journalists, activists and politicians. However, it is also available to anyone, including you.
You will need to log into your Gmail Account and use a passkey or hardware security key to confirm your identity once you have enrolled in Advanced Protection. ” Unauthorized users won’t be able to sign in without them”, Google said, “even if they know your username and password”. Let’s repeat the rule: any device that is signed into Gmail must first have the passkey when using it. This means that even if a hacker had used any kind of hacking technique to steal your username and password, they would not be able to sign in without your smartphone and biometrics to verify it. Period.
When you sign up for new apps or services, you’re often asked to give access to your information in your Google Account, like your Gmail contacts, for example. As you would expect, there are already built-in safeguards in place, but the Advanced Protection Program raises the stakes to prevent unauthorized access to your account and data. ” Advanced Protection allows only Google apps and verified third-party apps to access your Google Account data”, Google said,” and only with your permission”. Google said that you may find that you receive more alerts or warnings before downloading a file or installing an app, and that optional security features will be automatically enabled, which shouldn’t negatively impact most users and the additional security protections shouldn’t outweigh any inconvenience for high-risk users anyway.
We have not seen any evidence that this is a widespread scam, but we are strengthening our defenses against abusers who use g. co. references at sign-up, according to a Gmail spokesperson.