Despite security technologies continuing to improve, phishing remains a persistent threat, which is why Google announced several ways to combat phishing at Google I/O 2022.
To protect its users from phishing attacks, the search giant is expanding phishing protections to Google Docs, Sheets, and Slides while continuing to automatically enroll users in 2-step verification.
As businesses and end users become increasingly aware of the dangers of phishing, multi-factor authentication (MFA) has become a particular concern for cybercriminals. For example, they often try to phish SMS codes directly by following a legitimate “one-time passcode” with a forged message asking potential victims to “reply with the code you just received”.
Attackers are also leveraging more sophisticated dynamic phishing pages to carry out relay attacks when a user thinks they’re connecting to a legitimate site, according to a new blog post from Google. However, instead of deploying a simple static phishing page that steals a user’s credentials, attackers deploy a web service that connects to the actual website at the same time a user falls for a page. of phishing.
These types of attacks are particularly difficult to prevent because authentication challenges presented to an attacker (such as a prompt for an SMS code) are also relayed to the victim. The victim’s response is then in turn relayed to the actual website and the attacker actually uses them to fix any other authentication issues that may arise.
Phishing-resistant authentication
While security keys like Google’s own Titan security key can prevent phishing by verifying the identity of users of the website users log in to, not everyone wants to carry around an extra physical device to log in to. all of their accounts online.
That’s why Google is building this same feature into Android smartphones and iPhones. Unlike physical FIDO security keys which must be connected via USB, the search giant uses Bluetooth to ensure that a user’s smartphone is close to the device they are connecting to. It also helps prevent “person-in-the-middle” attacks that can still work with SMS codes or Google prompts.
At the same time, Google has also worked to make its traditional Google Prompt challenges more phishing-resistant by requiring users to match a PIN with what they see on screen in addition to clicking “allow.” or “refuse”. The company has even started experimenting with more complex challenges for high-risk situations when it sees users logging in from a computer that might belong to a phishing scam or asking users to join the same Wi-Fi network. on their phone than the computer they are on. connection from.
With these new phishing protections in place and the proper training, employees and consumers can protect their online credentials and accounts from being stolen.