How much damage could be done if your Gmail password fell into the wrong hands?
Quite a lot I would wager.
Because not only would an identity thief be able to send emails pretending to be you, and trawl through your old messages for passwords and financial information, but also your Gmail password will also unlock your other Google accounts – including Google+, Adwords, Google Checkout, Google Docs, YouTube and so forth..
So, you should work hard to protect your username and password credentials for Google login details.
Here’s an email that SophosLabs has seen spammed out, pretending to come from Google’s team:
The email claims that the recovery email address associated with your Google account has changed, and if you do not verify it then you might lose your account in its entirety.
Dear Account User,
Thanks for updating your e-mail address with us.We changed your recovery e-mail address in our files to [redacted]@hotmail.com.If this is correct, you can disregard this e-mail. If the new e-mail address is not correct or you did not request this change. Follow the instruction in updating your account
However, Failure to do so may result in account suspension permanently.
Thanks for using Gmail!.
Clicking on the link in the spammed-out email does not take you to your Google accounts settings, however. Instead, you are taken to a compromised website which is hosting a phishing page – designed to steal your password.
Always take care about what links you click on, and don’t enter your personal information until you are confident you have reached a legitimate site,
And if you need further advice, why not read my point-by-point advice about how to stop your Gmail account being hacked.
8 comments on “Phishing for passwords of unwary Google users”
Good thing I don't use GOOGLE. Besides, if any free email service wants any updating they do it when signing in not sent in an email. All one has to do is go to their tools and update.
You should mention Google's two-step verification. If I give my Gmail password to strangers they would still have to enter the security code that is sent to my cell phone. It's a free service but it works! Well, almost free, since Google got my mobile number in return. I believe they offer smartphone app to generate the security code, which is good if one has to pay for incoming text messages.
And if entering a second code every login seems too much, there is the "remember verification on this computer for 30 days" option.
Yes, the two-step verification is a good idea from the security point of view.
I discuss that, and other methods to help prevent your Gmail account being hacked, in the article I wrote here: http://nakedsecurity.sophos.com/2011/06/02/how-to…
Well, that approach simply wouldn't work on me. First I don't have a Hotmail account. Second, Gmail uses SSL which they forgot to include in their link details. I'll give them 2/10. That's for just bothering to try.
“Well, that approach simply wouldn’t work on me. First I don’t have a Hotmail account”__What does that have to do with anything?__The Hotmail account named in the message is NOT meant to be YOURS.__The idea is you think someone has changed your GMail Recovery email address to an account that is NOT yours (in this example [redacted]@hotmail.com – ) and then you think “Oh ****, someone else has got access to my GMail account” and then click the link in the email to restore the Recovery Email back to YOUR email address. But as per usual with these attacks the link doesn’t goto a real GMail website but a spoof one where you then enter your username and password thereby handing it straight to the bad guys.__YOU don’t NEED a Hotmail account for this to work.
The subject line for that message would allow me to check my email logs for any delivered at my site.
I recently received the following email from a family member who doesn't even have Gmail:
Dear Account User,
You are advise to verify your account details below to enable us upgrade your account. E.G Your GMail ID, Password, Date Of Birth etc.
Click here to verify –> http://bit.ly/JGVJpP
In failure of doing this, you will Automatically lose your GMail Account.
Thanks for using GMail
CLICK HERE TO VERIFY YOUR GMail ACCOUNT NOW TO AVOID IT BEING CLOSE! -> http://bit.ly/JGVJpP
I've seen some phishing scam emails, mostly thanks to you people, but this one is so obviously fake. Anyone else seen this yet?
facebook security sucks i still get hacked with text verification and email alerts on stupid chip thieves stop play poker now hope thats the end of it glad i dont bank with then pathetic and nobody to complain to unless u wanna call the usa i dont think so