Despite the fact that security technologies continue to improve, phishing (opens in new tab) persistently remains a threat which is why Google has announced several ways it plans to combat phishing at Google I/O 2022 (opens in new tab).
To protect its users against phishing attacks, the search giant is scaling phishing protections to Google Docs (opens in new tab), Sheets (opens in new tab) and Slides (opens in new tab) while also continuing to auto enroll users (opens in new tab) in 2-Step Verification.
As businesses and end users have become more aware of the dangers of phishing, multi-factor authentication (MFA (opens in new tab)) has become a particular focus for cybercriminals. For instance, they often try to phish SMS codes directly by following a legitimate “one-time passcode” with a spoofed message asking potential victims to “reply back with the code you just received”.
According to a new blog post (opens in new tab) from Google, attackers are also leveraging more sophisticated dynamic phishing pages to conduct relay attacks where a user thinks they’re logging into a legitimate site. However, instead of deploying a simple static phishing page (opens in new tab) that steals a user’s credentials, attackers deploy a web service that logs into the actual website at the same time that a user is falling for a phishing page.
These kinds of attacks are especially challenging to prevent as authentication challenges shown to an attacker (like a prompt for an SMS code (opens in new tab)) are also relayed to the victim. The victim’s response is then in turn relayed back to the real website and the attacker is actually using them to solve any other authentication challenges that may arise.
Phishing-resistant authentication
While security keys (opens in new tab) like Google’s own Titan Security Key (opens in new tab) can prevent phishing by verifying the identity of the website users are logging into, not everyone wants to carry around an additional physical device to log into all of their online accounts.
This is why Google is building this same functionality into Android smartphones (opens in new tab) and iPhones (opens in new tab). Unlike physical FIDO security keys that need to be connected via USB, the search giant uses Bluetooth to ensure a user’s smartphone is close to the device they’re logging into. This also helps prevent “person in the middle” attacks that can still work with SMS codes or Google Prompts.
> Another top NFT company has been hit by a phishing attack
(opens in new tab)
> LinkedIn is now the most imitated brand by cybercriminals (opens in new tab)
> Cybercriminals are targeting outdated WordPress sites to run phishing ads (opens in new tab)
At the same time, Google has also been working to make its traditional Google Prompt (opens in new tab) challenges more phishing resistant by asking users to match a PIN code with what they’re seeing on screen in addition to clicking “allow” or “deny”. The company has even begun experimenting with more involved challenges for higher-risk situations when it sees users logging in from a computer that might belong to a phisher or asking users to join the same Wi-Fi network on their phone as the computer they’re logging in from.
With these new phishing protections in place and the right training (opens in new tab), both employees and consumers can avoid having their credentials and online accounts stolen.