The majority of email users are now well aware of scams and attacks that land inboxes every day. Google has now got so good at spotting rogue messages that most of them are instantly filtered long before they reach customer accounts. However, it appears now is not a good time to become complacent. Hackers have recently managed to pull off a cyber attack that avoids Google’s multi-factor authentication.
That means cyber crooks could gain full access to accounts without the owner ever knowing anything is wrong.
The new assault was spotted by security researchers at Google Threat Intelligence Group, who confirmed targeted attacks have already taken place.
Google accounts are usually very secure, with users needing to use multiple methods to access services such as Gmail. These often include two-factor authentication, which sends a message to a second device before a login is granted.
But it seems Russian cyber crooks have found a way to target older phones and other devices that are unable to handle this extra verification step.
Google offers something called app passwords, which are special 16-digit codes aimed at keeping less modern devices safe.
However, because app passwords skip the second verification step, hackers can steal or phish them more easily.
According to Malwarebytes, the crooks used this method to target prominent academics and critics of Russia.
“The attackers initially made contact by posing as a State Department representative, inviting the target to a consultation in the setting of a private online conversation,” Malewarebytes explained.
“While the target believes they are creating and sharing an app password to access a State Department platform in a secure way, they are actually giving the attacker full access to their Google account.”
Although this was a highly targeted attack, it doesn’t mean the general public might not be next.
“Now that this bypass is known, we can expect more social engineering attacks leveraging app-specific passwords in the future,” Malwarebytes warned.
If you are concerned by this new attack, security experts have issued advice on how to stay safe.
• Only use app passwords when absolutely necessary. If you have the opportunity to change to apps and devices that support more secure sign-in methods, make that switch.
• The advice to enable MFA still stands strong, but not all MFA is created equal. Authenticator apps (like Google Authenticator) or hardware security keys (FIDO2/WebAuthn) are more resistant to attacks than SMS-based codes, let alone app passwords.
• Regularly educate yourself and others about recognising phishing attempts. Attackers often bypass MFA by tricking users into revealing credentials or app passwords through phishing.
• Keep an eye on unusual login attempts or suspicious behaviour, such as logins from unfamiliar locations or devices. And limit those logins where possible.
• Regularly update your operating system and the apps you use to patch vulnerabilities that attackers might exploit. Enable automatic updates whenever possible so you don’t have to remember yourself.
• Use security software that can block malicious domains and recognise scams.