At this point, mentioning a new Google attack vector is almost not news anymore, given how many times the company’s services have been exploited. It’s to be expected though. Google makes most of its service available free of charge, which means not only do you have free access to it, so do hackers. And given these services’ widespread adoption, it’s not surprising that Google is a frequent target.
The latest exploit takes advantage of Google Alerts. “Google Alerts is a content change detection and notification service, offered by the search engine company Google. The service sends emails to the user when it finds new results—such as web pages, newspaper articles, blogs, or scientific research—that match the user’s search term(s).”
In some ways, this is a perfect attack vector for hackers. People are telling Google what search terms they care about and they are volunteering to have emails sent to them which contain links to pages with those search terms. All hackers really have to do to take advantage of this situation is to set up a malicious web page with those search terms on it. And if they choose popular search terms, a lot of people will get those emails.
What makes it worse is, victims have their guard down because they are expecting these emails. That’s a form of social engineering which is inherent in using Google Alerts as the attack vector.
Detailing how this scam works in Bleeping Computer, “When a user clicks on one of these alerts, they will then be sent to a page that then redirects them through a series of other pages until they finally land at a fake giveaway page, tech support scam, unwanted extension, or malware installers.”
In some ways, this Google Alerts scam doesn’t change anything. You must protect yourself from malicious links in emails, whether you received the email voluntarily—like with Google Alerts—or not. And the best way to do that is with cloud-based email security software with real-time link click protection like that offered by Phish Protection.
Real-time link click protection is the key. With real-time link click protection, whenever you click on a link in an email, before you get redirected to the website, the scanning software checks out the website to make sure it’s safe. And if it’s not, it protects you by preventing you from visiting that website.
Whether you use Google Alerts or not, the best way to stay safe from phishing emails is to use Phish Protection with Advanced Threat Defense. It sets up in 10 minutes, cost pennies a day per employee and comes with live 24/7 customer support.