Be Aware, New phishing technique abusing legitimate Google email notifications

[Dictator69]

Hi everyone!

I was reading news and this one specific report got my attention. It is related to a security flaw which is not basically hacking, but more like feature abuse of Google.

Casa co founder Jameson Lopp warned us about a new phishing technique that these scammers are using. They are using legitimate Google infrastructure like Workspace or developer tools to input frantic scam messages directly into the "Name" or "Organization" field and then they enter thousands of spaces which hide the disclaimer by Google that says "If you didn't request this, ignore it." So when someone receives a recovery email notification in their email they would not read the last disclaimer because scammers put thousands of spaces to hide it.

These emails won't go into our spam folder because they are triggered by Google itself, and they pass all security checks like SPF, DKIM, and DMARC and land straight in your Primary Inbox, not in the spam folder.

Thousands of spaces will push the legitimate system footer down, and you will only see the scammer's scary message on the top. You would see the email which is the official Google email and you could think it is real but before clicking anything verify directly from your Google account security feature as they have said it themselves.

Stay safe, check your settings manually, and never rush into clicking links out of panic! Although chances are high that by now they might have solved the issue but even if you have received such emails manipulated by scammers, don't do anything and confirm from your security activity log on Google's main security page.
 

[hd49728]

Stay safe, check your settings manually, and never rush into clicking links out of panic! Although chances are high that by now they might have solved the issue but even if you have received such emails manipulated by scammers, don't do anything and confirm from your security activity log on Google's main security page.

There is no need of a hurry to change anything, there is a mandatory step to check your account security, activity log before doing anything later. If there is nothing strange in your account log, security log, you can feel that your account is safe. Then you can check by searching for whether there is any scam wave aims at Google and Gmail accounts, and likely you will find something.

Above all these things, with any accounts, not only Gmail accounts, you must use strong passwords and turn on 2FA.
[GUIDE] How to create a strong password.

Preventing your account hack by having strong password and active 2FA is better than are fearful of account hack while don't set up security things properly.

[Chinesebaby]

Hi everyone!

I was reading news and this one specific report got my attention. It is related to a security flaw which is not basically hacking, but more like feature abuse of Google.

Casa co founder Jameson Lopp warned us about a new phishing technique that these scammers are using. They are using legitimate Google infrastructure like Workspace or developer tools to input frantic scam messages directly into the "Name" or "Organization" field and then they enter thousands of spaces which hide the disclaimer by Google that says "If you didn't request this, ignore it." So when someone receives a recovery email notification in their email they would not read the last disclaimer because scammers put thousands of spaces to hide it.

I have seen many times the image on the left you just shared above on my Google mail inbox, but never knew it was fake and didn't come from Google entirely, since everything looks real and authentic, displaying Google features. But what I usually do is ignore it, since I never initiated any action to add a recovery mail on my account, and when I see it, I'm sometimes always confused. So I'm happy and want to thank you O.P for sharing this wonderful piece of information to us regarding our Gmail security.

[snowpega]

Thank you, OP, for bringing this to our attention. I literally received a lot of promotional emails on a daily basis. But I never opened them and click them. I am already aware of how much it can be risky to click the unknown link, more espacially if you are a crypto space user. So, we have to be extra attentive in such cases. As a single mistake can lead to worse-case scenarios, where we can lose our assets. Abide by this, I have been facing attacks back in the days, and I still don't know the reason for that.

But on ALTT, a user suggested to me I should not use an unpaid VPN as it can also bring trogone attacks to the device.
After he gave me this advice, I bought a paid one for my use. Now you may be wondering why I use VPN, haha. Actually, in my country, Telegram is banned, so I have to use a proxy to access the Telegram app, and as a user of this forum, you also know the importance of the Telegram app.

[Dictator69]

There is no need of a hurry to change anything, there is a mandatory step to check your account security, activity log before doing anything later...

You are right, we must check the official security log directly from the main dashboard and should not panic because that's exactly what these scammers rely on to make people click links blindly. The scary message they write could convince people to click on the recovery emails that they have manipulated for us. That's why we should take a deep breath and manually verify.

Also, thank you for sharing that guide link for creating strong passwords and emphasizing 2FA. You are absolutely right that 2FA is a mandatory shield for any crypto user nowadays.

Although it is also worth mentioning that in this case if a beginner unknowingly clicked on that link shared by the scammer and even if they have 2FA in place, that link will take the victim to a recovery page where they have to change the password and information and on the same page they have to provide the OTPs etc. so when they do that in the active session which belongs to the scammer then the scammer can access the account using AiTM technology they have been using which automates everything. Although these attacks could stop most of the attacks.

Appreciate your highly valuable addition to the thread! Stay safe.

I have seen many times the image on the left you just shared above on my Google mail inbox,...

You are on the spot sir, because if we have not initiated anything from our end and still are receiving an email that means someone is trying to access our mail especially in this case. Scammers have to have your email first then in the recovery they will enter your email and in the name or organization field they will enter their message which would look like as shown in the images. These are not my images, they were shared by Lopp on his Twitter.

The footer note which tells us that if you have not done anything then ignore the mail is visible in the real one and not visible in the fake one, so most likely a vulnerable person could click on the email. I am glad that it helped.

Thank you, OP, for bringing this to our attention. I literally received a lot of promotional emails on a daily basis. But I never opened them and click them....

If you are already receiving many spam emails that means you are on their list, so be extra careful. We should not reuse our emails for everything and our main working emails should be isolated from offers and activities that are unnecessary for our work. That's how we can save ourselves directly in the first place but you are doing great and I am happy that it was worth sharing.

Yes bro I know the effort here in using Telegram, I have been using proxies for a long time and if they were the issue then I never faced one although I do remember reading your posts about AI and the security alert messages you received. The way you are saying it, they seem like a serious case but if the virus was actually there then you would have lost your funds already if I am not wrong. Because hackers don't delay things.

[EluguHcman]

Stay safe, check your settings manually, and never rush into clicking links out of panic! Although chances are high that by now they might have solved the issue but even if you have received such emails manipulated by scammers, don't do anything and confirm from your security activity log on Google's main security page.

There is no need of a hurry to change anything, there is a mandatory step to check your account security, activity log before doing anything later. If there is nothing strange in your account log, security log, you can feel that your account is safe. Then you can check by searching for whether there is any scam wave aims at Google and Gmail accounts, and likely you will find something.

That is just the simplest way to overcome such insecurity scamming threats.
If you have such notifications from Google account then you don't need to panic hastening to make the change as the contents of the mail instructed otherwise you will think you want to act too smart and there will just be the circumstances that would get your device security at the risk according to the will of the scammers behind the malicious mail.

To keep safe, when such notifications comes in, first your immediate attempt should be about accessing your Google account if there was a potential compromise before taking any action because these scammers had come so far in disguising themselves with their scamming schemes looking legitimate.

So if you find your account safe all you should do is just to ignore the notification.

[Nwada001]

Over the past few months I have been receiving some similar mail for Google security, and I can't recall making such requests. Since the mail is one which I already considered to be exposed to scammers, I don't pay attention to it again. As long as I did not make any request and checking through my security logs shows no recent activities from unknown devices, I just ignore the mail.

Before we used to check on senders to see how secure the mail is, but now that it's easier for these guys to use that loophole to their own advantage, people need to be careful in terms of identifying which mail is real and which one is not.

[YellowSwap]

This is one of those scams that I can never fall victim for, because I don't even look out for such notifications from Google and that's because my email is something I don't take very serious as it's a centralised operating company anyway.

Anything that has anything to do with money you aren't getting, if somehow you manage to get into my Gmail account it's going to be empty as fuck, I don't have money locked up somewhere that my Gmail will reveal and I don't store recovery seed on Gmail too.

Security and account log is a good way to have any eye on everything that's happening, so yes if you have the patience to crosscheck very well ( I advise you should) things should be fine.

[hugeblack]

Thank you, but what does Google email have to do with cryptocurrencies and Bitcoin? If a user trusts Google to store a copy of their wallet seed or an encrypted version of it, they will most likely lose their coins quickly.

I advise staying away from all Google services if you want to enhance the privacy/security of your cryptocurrency use.

[snowpega]

...
Yes bro I know the effort here in using Telegram, I have been using proxies for a long time and if they were the issue then I never faced one although I do remember reading your posts about AI and the security alert messages you received. The way you are saying it, they seem like a serious case but if the virus was actually there then you would have lost your funds already if I am not wrong. Because hackers don't delay things.

Well, maybe you are right about that, as if I share my current experience with you till the day I am using a paid VPN, I have not been attacked again by any such virus, and I am not getting any suspicious virus notification. The conversation that I had with that member, I said to him that I don't use any open source application and all that application i have in my mobile phone are directly installed from the Google Play Store. Then he said there are some apps available on the Google Play Store that do their work once you install them on your mobile phone.

So, maybe hackers use such a technique to bypass the Play Store algorithm, and when they upload their application to the Google Play Store for approval, it marks them safe even though they are unsafe. Do you agree with this point, or can this happen? Like, is it impossible to bypass the Play Store algorithm for uploading an unsafe application on it?

[Porfirii]

In fact, Google is doing it the right way because you only have to take action in order to add a recovery contact, not to avoid adding it like the scammers pretend. That should always be the case when you get unexpected notifications, so that the default decision is to do nothing, which in turn is the safest thing to do.

[Odohu]

This phishing attempt will catch only those who are in a hurry and fail to properly read and digest the content of the email because the fake email is easy to identify as scam. It has sense of urgency and does not give the recipient the option of accepting or rejecting the recovery option, just like it appears on the real email. As long as the fake email leaves a clue for people to know that they are fake, I think people will be able to avoid being victims. Nevertheless, it is imperative to be careful by double checking any link or attachment before clicking them.

[pawanjain]

Hi everyone!

I was reading news and this one specific report got my attention. It is related to a security flaw which is not basically hacking, but more like feature abuse of Google.

Casa co founder Jameson Lopp warned us about a new phishing technique that these scammers are using. They are using legitimate Google infrastructure like Workspace or developer tools to input frantic scam messages directly into the "Name" or "Organization" field and then they enter thousands of spaces which hide the disclaimer by Google that says "If you didn't request this, ignore it." So when someone receives a recovery email notification in their email they would not read the last disclaimer because scammers put thousands of spaces to hide it.

These emails won't go into our spam folder because they are triggered by Google itself, and they pass all security checks like SPF, DKIM, and DMARC and land straight in your Primary Inbox, not in the spam folder.

Thousands of spaces will push the legitimate system footer down, and you will only see the scammer's scary message on the top. You would see the email which is the official Google email and you could think it is real but before clicking anything verify directly from your Google account security feature as they have said it themselves.

Stay safe, check your settings manually, and never rush into clicking links out of panic! Although chances are high that by now they might have solved the issue but even if you have received such emails manipulated by scammers, don't do anything and confirm from your security activity log on Google's main security page.
 
snip

Thanks for the headsup. It's always good to see people raising awareness about such phishing attempts.
Even if some people already know about such scams, it's a great thing to post even if one person didn't knew about this phishing mail.
To avoid this, it's better to verify the logs from official page. We can easily go our account verify the permissions for the same.

[Catenaccio]

Thank you, but what does Google email have to do with cryptocurrencies and Bitcoin? If a user trusts Google to store a copy of their wallet seed or an encrypted version of it, they will most likely lose their coins quickly.

I advise staying away from all Google services if you want to enhance the privacy/security of your cryptocurrency use.

Storing wallet backups online, in email like gmail, in cloud storage like Google Drive, or in chat is very stupid, careless and dangerous practice. It's not recommended by anyone who have knowledge and experience in Bitcoin and cryptocurrency.

It's risk warned in this guide on How to back up a seed phrase?

Terrible Backup Schemes
Let's begin by going through some common forms of backing up seed phrases that are incontrovertibly prone to failure.

Storing your (unencrypted) seed phrase in any online service. This includes:

Taking a photo of your seed phrase.
Any note taking apps that get synced to the cloud.
Services that sync files from your phone / laptop to the cloud.

[dansus021]

I mean scammer nowadays are getting smarter day by day they just really know well where is the loopholes of the system and their really skilled with their social enginnering things maybe if this was a degree they have a good value in the industry hahah. It is one of the most clever psychological and structural manipulations of the year because it turns Google’s greatest security strength its immaculate sender reputation into its biggest vulnerability.

Goole itself already saying that Adopt a absolute Zero-Trust mindset for any urgent notification. If you get an email saying your Google account is under attack, never click the link in the email. Close the app, manually type myaccount.google.com/notifications into your browser, and look at your security dashboard directly. If it’s not listed on your official Google security log, it didn't happen."

[taufik123]

Thank you, but what does Google email have to do with cryptocurrencies and Bitcoin? If a user trusts Google to store a copy of their wallet seed or an encrypted version of it, they will most likely lose their coins quickly.

I advise staying away from all Google services if you want to enhance the privacy/security of your cryptocurrency use.

Most of the people I know (not just crypto) they use google services to store their personal files, store passwords and some important private keys.
Maybe because it's more practical and they consider google's services the best, they forget that their own stupidity will be the easiest loophole to hack.

It is better to build a private Cloud like Synology's NAS for primary storage that doesn't rely on third-party services like Google.

[joniboini]

It is better to build a private Cloud like Synology's NAS for primary storage that doesn't rely on third-party services like Google.

I'm not sure how widespread NAS knowledge or backups in general is. I'm sure anyone who interact with computers and a bit enthusiastic about it knows about cloud storage to some extent, but I doubt they have the drive to build their own system for that, unless their workflow demands it. For example, my family or friends who're quite tech literate and knows about crypto to some extent don't really want to build a NAS because they don't consume a lot of media. Building one for backups seems a bit overkill for them too since they work with cloud files to begin with. I guess they just have to make sure they don't overly rely on some third-party services for their private files and they think it will be fine.

[OcTradism]

I'm not sure how widespread NAS knowledge or backups in general is. I'm sure anyone who interact with computers and a bit enthusiastic about it knows about cloud storage to some extent, but I doubt they have the drive to build their own system for that, unless their workflow demands it. For example, my family or friends who're quite tech literate and knows about crypto to some extent don't really want to build a NAS because they don't consume a lot of media. Building one for backups seems a bit overkill for them too since they work with cloud files to begin with. I guess they just have to make sure they don't overly rely on some third-party services for their private files and they think it will be fine.

Important and sensitive personal identity documents and Bitcoin & cryptocurrency wallets, backups should never be stored on cloud. There are different methods for backups on Cloud storage but we decide which things can be stored on Cloud and which ones should never be stored on Cloud if we see risks are more than benefits and convenience.

Many guide topics on Security and Privacy that can help to secure devices, accounts, wallets and wallet backups.
Security and Privacy Encylopedia.

[maydna]

The first thing is calm down and not panic, that helps you to read what is mean and looking for more information and don't click any link inside the email but verify first or you might be the target of scam.

Checking the email address inside the email you received helps you to identify if that is real or fake so double check on the email address of the sender because they can manipulating this and looks real.

If you are sure you don't know the email address or don't have contact to that email, you can removes the email or block but you need to calm down so you can thinks clear what you can do.

[hugeblack]

Storing wallet backups online, in email like gmail, in cloud storage like Google Drive, or in chat is very stupid, careless and dangerous practice. It's not recommended by anyone who have knowledge and experience in Bitcoin and cryptocurrency.

True, but some wallets recommend this, and since many beginners prioritize ease of use over security and believe that an encrypted file is secure, I think many might use this option (ignoring the fact that some people keep a screenshot of the wallet seed in the cloud). However, my question to @OP was about the relevance of this to cryptocurrencies.