Google gives Android Gmail users new shady link warnings amid fake Docs attack
Google is rolling out a new anti-phishing feature in Gmail on Android that stops users immediately proceeding to a page if they click a suspicious link.
The new feature is designed to make it easier for Android users to protect themselves from scammers and criminals who use email to pick up logins, identity details, and financial information.
Google announced the feature yesterday amid the scare over a crafty Google Docs phishing attack on Gmail users.
Starting this week, if you click on a suspicious link in Gmail on Android, the app will present a red warning stating that "the site you are trying to visit has been identified as a forgery, intended to trick you into disclosing financial, personal or sensitive information".
It doesn't prevent access to the page but displays the destination URL and cautions that you can proceed at your own risk. It also contains a link to report an incorrect warning.
"While not all affected email will necessarily be dangerous, we encourage you to be extra careful about clicking on links in messages that you're not sure about. And with this update, you'll have another tool to make these kinds of decisions," Google notes.
In response to yesterday's Docs phishing attack, Google has posted a warning on its Gmail Help page encouraging affected users to complete its Security Checkup. The relevant section to check is account permissions.
As noted by the SANS Internet Storm Center, the phishing attack abused OAuth, a framework that Google, Microsoft, Twitter, Facebook, and others use to connect third-party apps with their services.
Gmail users can, for example, authorize Microsoft Outlook to read, send, delete, and manage Gmail messages. The Outlook app is then issued a token, providing it with ongoing access for these actions until revoked by the user.
It's a useful process for connecting different accounts, but users can be tricked into granting access to a malicious app, as happened yesterday. Having an access token is a powerful tool since it operates separately to the login process and hence can't be prevented by two-factor authentication.
The attacker in this case sent phishing emails with a bogus Open in Docs icon that leads users to Google's real OAuth service where the attacker's app, which was fraudulently named Google Docs, requested permission to "read, send, delete and manage" victims' Gmail messages.
The attacker then used the access token to send the same phishing email to the victim's contacts.
Trend Micro's Mark Nunnikhoven said the attack was "extremely clever" because it's difficult to filter email with a legitimate Google URL.
"The URL can't be blocked because it's a legitimate domain, owned and controlled by Google. Defending against this attack relies entirely on the user," he noted.
However, Google has blocked the bogus Google Docs application.
Trend Micro found the same technique recently being used by the advanced hacking group Fancy Bear, also known as Pawn Storm or APT28, which has been blamed for the Democratic National Convention hacks and several other high-profile breaches.
Read more about phishing
This ghost tapping scam can steal money from your mobile wallet or card - how to block it
Table of Contents
Follow ZDNET: Add us as a preferred source on Google.
ZDNET's key takeaways
- Ghost tapping tries to exploit tap-to-pay to steal your money.
- The scammer targets physical payment cards and mobile wallets.
- The scam can be hard to pull off, but scammers persist.
Tapping to pay for an item using your phone's mobile wallet is a quick and convenient way to make a purchase. However, despite the convenience, or perhaps because of it, there is some potential risk associated with the process. One type of scam that's been getting a lot of coverage lately is ghost tapping. A criminal -- or even a dishonest or fake vendor -- can exploit the tap-to-pay technology to charge your credit card or payment method without your awareness.
How this scam works
"Ghost tapping refers to attempts by criminals to trigger an unauthorized contactless payment without the victim's knowledge," Shane Barney, chief information security officer for Keeper Security, told ZDNET. "Tap-to-pay uses Near Field Communication (NFC), which requires very close proximity to the card or device. While this technology is inherently secure, attackers try to exploit moments when people are distracted, such as in crowded public areas."
Also: 11 ways to delete or hide yourself from the internet - and protect your privacy
Ghost tapping scams can target mobile wallets such as Apple Wallet and Google Wallet, as well as tap-to-pay credit and debit cards. Typically, this technology provides a convenient way to purchase a wide range of items, from transit tickets to groceries, gas, and clothing. Many small business owners and vendors use portable tap-to-pay readers, making it easy to buy items through your phone or credit card.
A ghost tapping scam typically involves three steps, Barney explained.
- Getting near the victim: Armed with an NFC reader, the scammer gets extremely close to the intended victim, sometimes bumping into them or standing pressed against them in a crowded area. Obtaining an NFC reader is the easy part, as you can buy one from any online retailer.
- Triggering a transaction: If the victim's payment card is loose in a bag or pocket and not shielded, the scammer could use the reader to try to initiate a tap-to-pay transaction.
- Processing the charge: Even if they review their transactions, the victims may not notice the charge, especially if the scammer keeps the amount low.
How difficult is it to pull off this type of scam? The actual execution is the tough part, according to Barney. The scammer has to stay close enough to the victim to initiate a response from the card without being noticed. That's why these scams often occur in crowded areas or in settings where the attacker can pose as a legitimate vendor.
Though both physical payment cards and mobile phones can be targeted, modern security methods are designed to prevent attackers from stealing sensitive payment information. Today's EMV (Europay, Mastercard, and Visa) contactless payment cards guard against the theft of card numbers, CVV codes, and other data.
Smartphones are even more secure than physical payment cards. Apple Wallet and Google Wallet include device-level biometrics for authentication, store tokens instead of card numbers, and rely on security built into the hardware. Because a transaction requires Face ID, Touch ID, or a PIN, ghost tapping a smartphone is effectively impossible, Barney said.
Beware the fake vendor
Drive-by NFC theft is more challenging to execute than many people assume, and the available data is limited. However, attackers continue because the entry point is so low. Still, if the challenges are high, why is ghost tapping a threat? Well, an attacker doesn't need to sneak next to you to pull off the scam, not when social engineering works so well.
Also: How to remove your personal info from Google Search - it's quick and easy
"Successful scams often rely on social engineering rather than true wireless theft," Barney said. "The most effective method criminals use is posing as a legitimate vendor, such as at a pop-up booth or street kiosk, and convincing someone to tap their card on a fraudulent reader. In those scenarios, the victim authorizes the charge because the attacker has created a believable physical environment."
In a recent scam alert, the Better Business Bureau (BBB) revealed some of the tricks that scammers use to run a ghost tapping scam, how to watch out for them, and how to protect yourself.
Here are some signs of a possible scam:
- Getting close to you in crowded, public places. The scammer could bump into you while surreptitiously charging your tap-enabled phone or credit card.
- An unscrupulous or phony vendor who sells you something. Tap-to-pay is a popular payment method at flea markets, festivals, conventions, and other gatherings. But with so much activity, a scammer could sneak in to set up a table or booth and charge you an exorbitant amount for an item that may or may not be legitimate.
- Charity scams. A person who claims to be accepting donations for a charity could charge your card or mobile wallet a much higher amount than you expect.
- Rushing the process. Scammers count on you being in a hurry or getting distracted. In that case, you may approve the transaction without verifying the business name or the amount being charged.
How can you tell if you're about to be scammed or have already been scammed? Here are three tip-offs.
- Bank alerts that show small charges. Scammers will sometimes test the waters by charging you a small amount to see if it works. If so, they can expand to larger amounts.
- No confirmation of the amount charged. Be wary if a retailer charges you by tap-to-pay but doesn't want to show you the total or offer a receipt.
- Suspicious charges. Watch out for suspicious charges after being in a crowded area such as a flea market, festival, or transit station.
5 ways to protect yourself
Ultimately, how can you protect yourself against ghost tapping? Here are a few suggestions from the BBB.
- Use RFID protection. When you're not using your phone, keep it in an RFID-blocking wallet or sleeve to prevent the NFC signal from reaching it.
- Confirm payment details. Before tapping your phone or card, check the seller's name and the amount displayed on the reader's screen.
- Set up transaction alerts. Sign up with your bank to receive real-time notifications for every charge you receive.
- Scrutinize your bank and credit accounts. Review your bank and credit card charges to look for any signs of fraud.
- Limit your use of tap-to-pay. If you're wary of using tap-to-pay in an unusual or potentially high-risk scenario, consider swiping or inserting your credit card instead.
Security
Google just gave Android users several compelling reasons to stay (including this scam tool)
Follow ZDNET: Add us as a preferred source on Google.
ZDNET's key takeaways
- Android is moving to more frequent updates instead of yearly.
- The first update introduces several new features for Android.
- Users are getting urgent call indicators and pinned tabs.
Google has announced that it's moving away from a single, yearly update of its Android mobile operating system to more frequent releases throughout the year.
To kick things off, the company revealed a roundup of updates that includes a second Android 16 release coming to eligible Pixel devices, plus new features coming to Android as a whole.
Also: I found the 10+ best Cyber Monday phone deals still live (including Verizon and T-Mobile offers)
The Android 16 release includes features such as AI-powered notification summaries, a notification organizer, and expanded parental controls. However, the more impactful features are being introduced to Android overall. Here's a look at three of the biggest additions.
1. A new way to make sure a critical call gets through
One of the most intriguing new additions is Call Reason, a way to indicate that a call is critical.
With Call Reason, which Google says is "coming soon," if you're making a call to a saved contact, you can flag it as urgent. The call recipient will see a small bubble announcing "It's urgent!" while the call is ringing and a similar flag on the call history if they miss the call.
A few months ago, an APK teardown by 9to5Google revealed an "Expressive Calling" feature, exclusive to Pixel phones, which allows you to specify a reason for your call -- such as "Catch up," "News to share," or "Quick question." An urgent option, which makes a special sound and breaks through do-not-disturb settings, was also spotted in the code. Google didn't indicate today that the current Call Reason has this capability, but it appears to be forthcoming, if it is not already.
2. Pinned tabs are coming to Chrome
Also on the way is a feature that lets you keep important Chrome tabs visible. I know the tabs on my phone's Chrome browser are a mix of articles I want to read later, sites I reference often, and the occasional important links I need for a short time. If you're looking for an easier way to manage tabs, your answer is here.
Chrome on Android now has pinned tabs that stay at the front of your browser. To pin a tab, just enter the tab overview or grid view, and long-press on the tab you want to save and choose "Pin tab." That tab will now move to the top of your grid and lose the "x," button, meaning you'll never accidentally close it out.
3. Avoid scams with Circle to Search
If you're suspicious that a chat or text message might be a scam, you can use Circle to Search to learn more. Circle to Search, which rolled out last year, lets you learn more about anything on your screen by long-pressing your home button and then highlighting what you want to search. Now, if you circle a suspicious message, you'll receive an AI Overview that explains more. You'll see an explanation of how the scam works along with relevant guidance and next steps.
IAlso: The best Google phones: How does the Pixel 10 Pro Fold stack up?
If you're an Android user, you should see these new features soon. You can learn more about them and see the rest of the additions at android.com/updates.
