There is a new phishing scam is tricking people into installing malware by pretending to be a Google security check. The page looks convincing and tells users that their Google account needs additional protection. It walks them through a simple setup process that appears to strengthen their security and protect their devices.
If users follow those steps, they may end up installing what looks like a harmless security tool. In reality, security researchers say the page installs a malicious web app that can spy on their device. It can steal login verification codes, watch what users copy and paste, track their location and quietly send internet traffic through their browser.
The most troubling part is that nothing is technically hacked. Instead of exploiting a software flaw, attackers simply trick users into granting the permissions they need. Once that happens, their own browser can start working for them without anybody realizing it.
Security researchers at Malwarebytes, a cybersecurity company, recently discovered a phishing website that pretends to be part of Google's account protection system. The site uses the domain google-prism[.]com and presents what looks like a legitimate security page asking users to complete a short verification process.
Visitors are told they should complete a four-step setup to improve their account protection. The page explains that these steps will help secure Google account and protect devices from threats. During the process, the site asks users to approve several permissions and install what it claims is a security tool.
The tool it installs is actually a Progressive Web App. This type of application runs through the browser but behaves like a regular app on any computer. It opens in its own window, can send notifications and can run tasks in the background.
Once installed, the malicious web app can collect contacts, read information users copy to their clipboard, track GPS location data and attempt to capture one-time login codes sent to their phone. These codes are commonly used when they sign in to accounts that use two-factor authentication.
The fake security page may also offer an Android companion app described as a "critical security update." Researchers found that this app requests 33 permissions, including access to text messages, call logs, contacts, microphone recordings and accessibility features.
Those permissions give attackers the ability to read messages, capture keystrokes, monitor notifications and maintain control over parts of the device. Even if the Android app is never installed, the web app alone can still collect sensitive information and quietly run activity through the browser.
The scam works because it looks like something anybody would normally trust. Many people expect security alerts from the services they use, especially when it comes to protecting email or cloud accounts. Attackers take advantage of that trust by presenting the fake page as a helpful security feature.
When users approve the permissions and install the web app, they are essentially giving the attackers access to certain parts of their device. One of the main things they try to capture is one-time passwords. These are the short codes users receive when logging in to accounts that require two-factor authentication.
If attackers manage to capture those codes while also knowing the password, they may be able to break into their accounts. That could include email, financial services or cryptocurrency wallets, depending on which accounts they use. The malware also watches what users copy and paste. Many people copy cryptocurrency wallet addresses before sending digital currency, and those addresses can be valuable to criminals. The malicious app can collect that information and send it back to the attackers.
Another feature allows attackers to route internet requests through the browser. This means they can run online activity through the device so it appears to come from ythe users home network. The app can also send notifications that look like security alerts or system warnings. When users click those notifications, the app opens again and gains another opportunity to capture information such as login codes or clipboard data.
No comments:
Post a Comment