As end users of Google’s suite of productivity enhancing tools, we all have a right to know that the company is doing everything in its power to protect its billions of users - whether they are working from a desktop, browsing while they are on the go, or working remotely. But what measures do Google have in place to keep all its thousands of users safe and secure in the face of rising cyber crime? How can you be sure that, no matter what device you are using, you stand the best chance of protecting yourself from attack?
With more than one billion people using Google’s search engine on their desktops, and over a billion more accessing it through mobile devices, it is clear that security is – or should be - paramount. Google already claims to protect desktop users with its Safe Browsing se
rvice, but what about its mobile users?
With cyber threats ranging from the annoying, such as adware, to the unsavoury – hello spyware - and the downright terrifying (ransomware - we’re looking at you), mobile device users are increasingly demanding to know that they are being adequately protected when using Google’s products, tools and services. Therefore, so as to protect the mind-bogglingly large number of people who are using Google on their smartphones, laptops, notebooks and tablets, Google recently unveiled plans to extend its Safe Browsing service to mobile users - or at least to those who are using Chrome on an Android device.
Whether you regard this as a blatant ploy to get users to switch to Android is something we’ll let you decide for yourself, but the fact is that Google is taking steps to protect its users. Back in August 2014, the company bolstered its Safe Browsing warnings with messages alerting users to unwanted software programs trying to sneak onto their computers by attaching themselves without warning to a legitimate download. In addition, both the Android platform and the Google Play Store have security measures in place to weed out potentially dangerous apps.
However, not every cyber security threat comes from an app or installation so, while Google is doing the right thing by guarding against threats in these areas, there are other issues that require a different means of protection. Enter social engineering, and phishing in particular, which can cause untold harm – such as data or identity theft - to a business or individual.
In order to protect against social engineering, an up-to-date list of malicious websites needs to be stored upon the device – this enables Google to send an alert to the user before they get ambushed. But there are problems with this which Google has had to overcome, not least of which is how to keep the list updated in the face of new threats. Compounding this issue further are factors that are unique to mobile browsing: mobile data speeds can be slow and connectivity patchy, depending where the user is. A fast, stable connection is crucial when the timing of an alert is paramount. Not only that, but using mobile data costs the end user money!
Bandwidth (and battery) limitations mean Google has had to find a way to ensure the data they send to users is as small as possible. Protecting their customers is crucial – but so too is not sapping battery life and data plans. Because this boils down to connectivity and speed factors, a device’s location is now taken into account. For example, if a known phishing scam is only affecting certain locations, only devices that are in that part of the world receive a warning.
Google also prioritises data by sending information on a need-to-know basis - in other words, bigger threats take precedence over more minor issues. They have also designed the software to limit network traffic, and to be as light as possible on memory and processor usage.
Since its announcement in early December, Google is now protecting all Chrome users on Android devices as default, making Safe Browsing part of their Play services from Version 8.1 onwards. Chrome Version 46 is also the first app to initiate Safe Browsing.
How do you know whether you are protected by Safe Browsing mode? Go to your settings in Chrome, and check your Privacy menu.
Google are obviously trying to improve their game, which is great. However, we believe that businesses need as much protection as possible - now. This is why we are constantly researching and testing extra tools and practices that do assist.
How do you know if your small or medium-sized business stands the best chance of survival in the face of a cyber attack or phishing scam? Talk to us today and we’ll be more than happy to share our up-to-date knowledge with you.
Phishing scams are nothing new in the security industry. Typically, they involve a poorly written email that points you to an awful clone site of Paypal or eBay. For most of these scams, you can't help but to notice the warning signs. However, the new Google Drive phishing scam is much more deceptive.
Here's how this new phishing scam works. You'll first receive an email with a subject line such as "Documents." In the body of the email, you'll be asked to open an important document linked from drive.google.com. When you click this link, Google Drive will ask you to log in. Not only will the login form look identical to the real one, but the domain will look correct as well.
For many phishing scams, the domain of the web page is often a giveaway. For instance, the page will claim to be the Paypal login, but the URL will not be from Paypal. However, the new Google Drive phishing scam removes this red flag. The address will say 'Google.com.' That's because the official-looking login page is actually a preview page for a folder stored on Google Drive.
Thinking the page is safe, you'll enter your login credentials. The information is sent to a PHP form processing page on the hacker's domain. The processing page records your information and sends it to the hacker.
When it's over, you're shown an actual document to reduce the chance that you'll realize what happened. However, at this point, your Google account is compromised, and scammers can now log in and use your email or any other Google services linked to your account.
Google accounts are the primary target for phishing scammers. Scammers use your Gmail account to spam their phishing link to your contacts. Since your contacts recognize your email, they will more likely fall victim to the scam. Scammers can also read any important documents or information stored in your email account.
Stealing Google accounts is more than just email, though. Scammers can gain access to Google Play music. They can access your Google Wallet. They can generate the HTML file needed to verify your website in Webmaster Tools, which exposes your website's reporting data. They can affect your Adwords campaigns or view your Adsense data. They can even spam a phishing link using your G+ profile.
Some of these consequences seem minor, but users who integrate Google into their lives store a lot of sensitive information in these accounts. The level of consequences is dependent on the hacker's creativity and the amount of information exposed.
In general, don't open links from unfamiliar email addresses. Even if you know the sender, be suspicious of links to Google Drive that you were not expecting.
If you think you've been scammed, the first step is to change your Google account password. Then, log in to Gmail and scroll down to the bottom of the page. Click "Details" under the "Last Account Activity" text. Click "Sign out all other sessions" to lock out hackers who are currently logged in to your account.
Google also offers two-step verification. Two-step verification sends a pin number to your phone when you log in from a computer that isn't your personal one. This security process stops hackers from ever signing in to your account, even if they have your password.
A hacker's goal is to bypass security red flags and firewalls. This scam creatively hides any warning signs that would normally help people from avoiding it. If you think you've received one of these phishing emails, send it to the trash or report it to Google.
Contact Sensible about our Employee Security Awareness Training program. This self-paced program teaches your staff on how to identify email phishing and scams.
UPDATE
Google has issued a statement indicating "We've removed the fake pages and our abuse team is working to prevent this kind of spoofing from happening again. If you think you may have accidentally given out your account information, please reset your password."
Based on Google's statement the issue appears solved, however we have continued to find reports of the exploit indicating that it may still be ongoing.
