2 min read
Trying to stay ahead of scammers can be exhausting. Just when you feel you know how to avoid their tricks, they develop a new approach. Case in point - A new phishing scam is tricking people into installing malware by pretending to be a Google security check:
Security researchers at Malwarebytes, a cybersecurity company, recently discovered a phishing website that pretends to be part of Google's account protection system. The site uses the domain google-prism[.]com and presents what looks like a legitimate security page asking you to complete a short verification process.
Visitors are told they should complete a four-step setup to improve their account protection. The page explains that these steps will help secure your Google account and protect your devices from threats. During the process, the site asks you to approve several permissions and install what it claims is a security tool.
The tool it installs is actually a Progressive Web App. This type of application runs through your browser but behaves like a regular app on your computer. It opens in its own window, can send notifications and can run tasks in the background.
Once installed, the malicious web app can collect contacts, read information you copy to your clipboard, track GPS location data and attempt to capture one-time login codes sent to your phone. These codes are commonly used when you sign in to accounts that use two-factor authentication.
The fake security page may also offer an Android companion app described as a "critical security update." Researchers found that this app requests 33 permissions, including access to text messages, call logs, contacts, microphone recordings and accessibility features.
Those permissions give attackers the ability to read messages, capture keystrokes, monitor notifications and maintain control over parts of the device. Even if the Android app is never installed, the web app alone can still collect sensitive information and quietly run activity through your browser.
The scam works because it looks like something you would normally trust. Many people expect security alerts from the services they use, especially when it comes to protecting email or cloud accounts. Attackers take advantage of that trust by presenting the fake page as a helpful security feature.
When you approve the permissions and install the web app, you are essentially giving the attackers access to certain parts of your device. One of the main things they try to capture is one-time passwords. These are the short codes you receive when logging in to accounts that require two-factor authentication.
If attackers manage to capture those codes while also knowing your password, they may be able to break into your accounts. That could include your email, financial services or cryptocurrency wallets, depending on which accounts you use. The malware also watches what you copy and paste. Many people copy cryptocurrency wallet addresses before sending digital currency, and those addresses can be valuable to criminals. The malicious app can collect that information and send it back to the attackers.
Another feature allows attackers to route internet requests through your browser. This means they can run online activity through your device so it appears to come from your home network. The app can also send notifications that look like security alerts or system warnings. When you click those notifications, the app opens again and gains another opportunity to capture information such as login codes or clipboard data.
Read here to learn how Google is working to mitigate these threats, and what advice they give to truly keep your account(s) secure. Consumers today need to stay alert and informed, and take all the steps needed to keep their personal information and their money secure!