Okay, it’s no surprise that this attack begins with a phishing email. And it’s certainly not an email that would fool a suspicious viewer, but it might get by a few users who aren’t paying much attention. But judge for yourself. Here is what the email looks like on a computer. This copy is from Akamai blogger, Larry Cashdollar.
There are problems with the scam that give it away. First of all, Google isn’t going to send you a notice from a Hotmail address. Secondly, when was the last time you heard someone say, “consult the activity”. Yeah, It’s a phishing attempt designed by some nonnative English speaker. But the sender is hoping the victim will panic and try to find out more about this attempt to sign into their account.
The problem, according to those who have been attacked, is that this attack looks more realistic when viewed on an Android device. If this is the case, you may, “consult the activity”, whether that wording sounds strange or not. Doing so, would bring up the following page.
This is where the trick gets better. A quick check of the URL would show a google.com link, supposedly, giving it legitimacy. How can this be possible? Clicking on the “consult the activity” button used Google Translate to redirect the victim to the target site, the “mediacity.co.in” site seen in the search bar.
If the victim misses the warning signs, they may, in fact, sign in to learn about what’s been going on with their account. This gives the attackers your Google login information. Now, you might think this is enough, but not for this attack.
It becomes clear at this point that Android devices are the real target for this attack. It looks far more valid on these devices than on a regular computer. That’s why the next stage of the attack begins with another phishing email. Knowing a victim’s Gmail login information, the attackers send them a Facebook notification that may bypass the spam filter. The email advises the victim to login to Facebook. On an Android device, the login looks like this.
If successful, if the victim logs in, the attackers will take control of the victim’s Facebook account. Then, they can do whatever they want with it. They can collect any personal information the victim has stored there. This could even include financial information. Later, posing as the victim, they could ask the victim’s contacts for money or personal information. Then again, they might only be selling this information to marketers. Almost any kind of an attack can be launched on the victims and their contacts once the attackers have harvested enough information.
The attackers know that users occasionally get real messages claiming that their account was accessed from a different device than usual. Some users may be accustomed to getting these warnings and, without looking too closely, may click on a link that claims to give them more information.
The best way to find out what sort of activity has been going on with your Google account is to go to the Google My Activity site. Actually, I would recommend that everyone go there from time to time. It is a very sobering experience.
It’s sobering because you’ll find out just how much Google knows about you and what information it is saving. Remember, they are collecting data just as the hackers do. The only difference is that you agreed to it. If it makes you uncomfortable, you can control your activity by clicking on the “Web and App Activity” link.
There are other privacy settings you can control from this page, but they can be confusing. I actually worked my way through this once but found that the privacy settings I chose seemed to vanish after a while.
In any event, to avoid this particular scam, the same old advice applies. Check who sent the notice and check the links you are being sent to. Before filling in any information, check the URL carefully. Even if you see an apparent legitimate link, look at it more closely. If it is connected to translate, like the one above, go no further. Although this is a new variation on an old attack, I expect others that will use this technique to fool victims.