Cybersecurity experts have issued a stark warning to 1.8billion Gmail users after a new scam began to gain traction which could lead to a total loss of their accounts.
Analysts at Malwarebytes Labs are urging people to stay alert after uncovering a harmful website designed to imitate Google’s genuine account security tool, which is normally used to help users protect their accounts.
According to researchers, the fraudulent page is a near lookalike of Google’s official security check and walks targets through a four-step “verification” flow that can seem credible at first.
But rather than improving security, the process is intended to harvest sensitive information and permissions that can be leveraged to access Gmail and other Google services.
Investigators say the scam often begins when someone clicks a link distributed by hackers through phishing emails, text messages, or deceptive pop-ups that warn a Google account needs urgent security verification.
After clicking through, users land on the fake site and are encouraged to install what appears to be a security tool. In reality, it can be used to access information on the device, including contacts, live GPS location, and clipboard content.
“When installed as a PWA (Progressive Web App), the browser address bar disappears,’ Malwarebytes researchers explained in a blog post. “The victim sees what looks and feels like a native Google app.”
The site is broken into four stages, beginning with instructions to install the fake app, which can initially appear authentic to the victim.
Next, users are asked to turn on notifications, with claims this is necessary to receive important security warnings. Researchers warn that accepting this may give criminals an ongoing channel to reach the device even when the bogus app isn’t open.
In step three, the page requests access to the user’s full contact list while presenting it as a protective measure. Researchers stress this is not something Google would request, and they say the captured data is transmitted to a server controlled by the attackers.
The fourth and final step asks the victim to share GPS location information, including details such as latitude, longitude, altitude, direction, and speed—data that could allow criminals to identify where someone lives, where they are currently, and potentially their movements over time.
Researchers also warn that if a user is persuaded to install the app, attackers may be able to intercept two-factor authentication codes from legitimate sources. In some cases, the attack could also lead to additional malicious software being installed, such as tools that record keystrokes and capture usernames, passwords, and other highly sensitive data like social security numbers or addresses.
“Once connected, the attacker can route arbitrary web requests through the victim’s browser as if they were browsing from the victim’s own network,” Malwarebytes researchers said.
They added that Google would not ask users to install software through a pop-up. As they continued: “If you receive an unexpected ‘security alert’ asking you to install software, enable notifications, or share contacts, close the page.”
“’Legitimate account security tools are accessed directly through your Google Account at myaccount.google.com.”