Google’s will ban ‘middle man’ logins in latest crackdown on phishing

Google is trying to cut out the ‘middle man’ by disallowing logins from embedded browsers — a move they will add an extra layer of cyber security. 

According to the company, the change will start in June and will prevent logins that don’t take place within a dedicated web browser like Safari, Chrome, or Firefox. 

While many applications use embedded browsers as a means of convenience, allowing users to stay in an app to input their credentials as opposed to having to jump to a dedicated mobile browser, Google said the feature puts users at unneeded risk. 

A major concern, said the company, is a type of phishing scam known as ‘man in the middle.’ 

‘One form of phishing, known as “man in the middle” (MITM), is hard to detect when an embedded browser framework… or another automation platform is being used for authentication,’ reads a blog post. 

‘MITM intercepts the communications between a user and Google in real-time to gather the user’s credentials (including the second factor in some cases) and sign in.’

Because Google can’t differentiate between someone attempting to phish an account and the legitimate owner, it has decided to completely scrap embedded logins, said the company. 

Similarly, Google has also introduced ‘safe browsing’ features that notify users when they’re browsing a potentially harmful website and added notification features that let users know when their account is signed into from a new device. 

With the rise of mobile app usage and connectivity, phishing scams have spread across the internet rapidly through the last several years. 

Many involving the use of email have also become increasingly more sophisticated. 

In 2017, one particularly effective attack on Gmail users was orchestrated by scammers who, with access to one victims email account, were able to impersonate that person in order to infect the computers of the first victims’ contacts.

Hackers have become more sophisticated in their attempts to glean critical password and login information. Stock image

Disguised as the first victim, scammers would send a fake Google Doc containing a phishing link to one or more of their a contacts using victim one’s email address. 

If opened, the second victim would be sent to a fake Google login page where the scammers would harvest the credentials of victim two. 

The phishing expedition compromised the accounts of at least 1 million Gmail accounts according to Forbes.

Doing away with embedded logins comes on the heels of a host of new security features announced by Google this month that specifically target phishing and look to educate on ‘best practices.’

IS YOUR GMAIL SENDING SPAM EMAILS?

A new spam attack is tricking a wave of Gmail users into thinking their account has been hacked. 

Numerous users have reported that their inboxes were flooded with spam emails titled things like ‘growth supplements’. 

However, in a bizarre twist, the ads appeared to have been sent from their own accounts.

The easiest way to check if you’ve been hit by the scam is to check your ‘sent’ folder. 

Spammers figured out a way to bypass Gmail’s spam filters by using forged headers that make it look like Gmail users’ own email addresses

From there, check if any emails are listed as being sent by ‘via telus.com’. 

If you find any, be sure to mark them as ‘spam’ so that they appear in the designated folder. 

You can also report an email as a phishing scam by clicking on the dropdown menu, marked by an arrow, in the righthand corner. 

Clicking this will give you the option to report an email as a phishing attempt. 

Google said that the latest spamming attack hasn’t compromised any user accounts, so there’s no reason to believe your Gmail has been hacked.