Latest news with #GMail
Epoch Times
23-04-2025
- Epoch Times
Google Responds to Report of Sophisticated Gmail Phishing Attack
Google on April 22 said it is aware of reports of a phishing scam targeting Gmail account holders and has rolled out a fix. Earlier this month, a software developer and researcher wrote that he received a security alert email that purported to be from Google that informed him that a 'subpoena was served on Google LLC requiring us to produce a copy of your Google Account content,' adding later that the user could look into the details to 'submit a protest.' 'Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here. It exploits a vulnerability in Google's infrastructure, and given their refusal to fix it, we're likely to see it a lot more. Here's the email I got,' the developer, Nick Johnson, The email was sent from the ' 'It passes the DKIM signature check, and GMail displays it without any warnings—it even puts it in the same conversation as other, legitimate security alerts,' he said. DKIM is an acronym for DomainKeys Identified Mail, an email authentication protocol that uses digital signatures to verify whether an email is legitimate, according to Google's website. Related Stories 4/23/2025 4/22/2025 The only suggestion that it is a phishing attack, where attackers try to appear as a legitimate entity to dupe a victim into revealing sensitive or personal information, is 'that it's hosted on instead of Johnson wrote in an X thread. Another sign it's a phishing attempt, he A spokesperson for Google told The Epoch Times on Tuesday that the company has 'rolled out fixes to stop this abuse pathway,' responding to questions about Johnson's claims. 'We've shut down the mechanism that attackers are using to insert arbitrary length text, which will prevent this method of attack from working,' the company said. 'We're aware of this class of targeted attack from this threat actor, and have rolled out protections to shut down this avenue for abuse. In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns,' a separate company spokesperson said in statement. Google also won't 'ask for any of your account credentials—including your password, one-time passwords, confirm push notifications, etc.—and Google will not call you,' the spokesperson added. Google A separate Google 'We won't give notice when legally prohibited under the terms of the request. We'll provide notice after a legal prohibition is lifted, such as when a statutory or court-ordered gag period has expired,' the company says, adding it may 'not give notice in the case of emergencies, such as threats to a child's safety or threats to someone's life, in which case we'll provide notice if we learn that the emergency has passed.'
Business Mayor
21-04-2025
- Business Mayor
Beware of This Gmail Scam Masquerading as a Google Security Alert
If you'verecently received an email that appears to be from [email protected] urging you toverify your Gmail account activity or risk deactivation, don't panic, but alsodon't click. A new phishing scam is targeting Gmail users, and it's sowell-crafted that even tech-savvy individuals might fall for it. The emailmimics Google's branding with stunning accuracy, making it look like alegitimate security alert. Thewarning signs were first flagged by Nick Johnson, an X user who shareddetails of his experience. 'Recently, I was targeted by an extremelysophisticated phishing attack, and I want to highlight it here. It exploits avulnerability in Google's infrastructure,' he said in a post. His discovery hassince raised alarms among cybersecurity experts and everyday users alike. Whatmakes this phishing email so dangerous is its apparent legitimacy. It carriesthe Google logo, uses professional-sounding language, and—most alarmingof all—it appears to be sent from [email protected] ,a typically trustworthy source. 'The first thing to note is that this is avalid, signed email – it really was sent from [email protected] . It passes the DKIMsignature check, and GMail displays it without any warnings – it even puts itin the same conversation as other, legitimate security alerts,' Johnsonexplained. The emailtells recipients that their Gmail accounts are under review due to suspiciousactivity. It urges users to act quickly by clicking on a 'Review Activity'button, warning that if they don't respond within 24 hours, their accounts willbe suspended. This sense of urgency is a classic phishing tactic aimed attricking people into reacting impulsively. While thesender's display name reads 'Google,' a closer inspection reveals that theactual email comes from a suspicious-looking address—often filled with randomcharacters. This is a major red flag, commonly used in phishing scams todeceive users. Read More Trade envoy Tai says US not seeking to 'decouple' from China The trueobjective of these emails is to lure victims into entering their login detailson a fake site that mirrors Google's sign-in page. Once hackers gain access,they can comb through your inbox, steal personal data, and use your account totarget your contacts. 'From there, presumably, they harvest your logincredentials and use them to compromise your account; I haven't gone further tocheck. So how did they do it – especially the valid email? This is due to twovulnerabilities in Google's infra that they have declined to fix,' Johnsonadded. In moreadvanced scenarios, the phishing site may even ask for your recovery email,phone number, and 2FA codes, allowing scammers to completely takeover your account. Once locked out, recovering access can be incrediblydifficult. The goodnews? Google is taking action. Johnson later confirmed, 'Google hasreconsidered and will be fixing the oAuth bug!' But until then, users must stayvigilant. What toDo If You Receive This Email: Don't click any links. If unsure about the email's legitimacy, open Gmail in a new tab and navigate directly to your account settings. From there, review your security alerts and recent activity. Report the email. Use Gmail's built-in feature to report phishing. Just click the three-dot menu in the top-right corner of the message and select 'Report phishing.' This helps Google block similar scams in the future. Enable Two-Factor Authentication (2FA). If you haven't already, turn on 2FA to add an extra layer of security to your account. Even if someone has your password, they won't be able to log in without the second verification step.
