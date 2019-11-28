Google’s Threat Analysis Group (TAG) revealed that it warned nearly 12,000 users across the world in over 149 countries that they were targeted by government-backed attackers in phishing attempts. The warnings were issued from July to September 2019. In India, Google revealed that over 500 people were warned about these government-backed phishing attempts.

In a blog post, Google’s TAG wrote that these government-backed groups from more than 50 countries have “many goals including intelligence collection, stealing intellectual property, targeting dissidents and activists, destructive cyber attacks, or spreading coordinated disinformation.” What is not clear if the citizens were targeted by their own countries or by other governments.

According to Google, they “encourage high-risk users—like journalists, human rights activists, and political campaigns—to enroll in our Advanced Protection Program (APP), which utilises hardware security keys and provides the strongest protections available against phishing and account hijackings.” Google found that over 90 per cent of these users were targeted via “credential phishing emails”.

What is Phishing?

Phishing is defined as an attempt to steal the user’s password and other account details in order to hijack or hack their account. Phishing attempts are very common, but in the Google report, these are state-sponsored.

In Phishing attempts, an email or link is sent out to the user, which often looks very realistic to the page that it is trying to spoof. Phishing attempts can also be made via telephone, text message, or in apps. For instance, someone trying to steal a Google account or an Apple ID account, they might send an email or a text message with a link, which looks suspiciously like the one from Google or Apple.

One common trope is that the email will often ask the user that they must quickly enter their password and account details in order to regain control over that account, because there is some issue with the account.

When the user clicks on the link in the email, it often manages to capture user interface/design of the actual page, say the Apple Login page or even the Google Account login if it is trying to steal that data. The user is asked to enter his/her Apple ID and Password, and if they do, then their account gets compromised.

How to avoid Phishing attempts?

Users must also check for the padlock symbol in any link, where they are asked to enter the full account details.

The full url of the link must always be double-checked to know whether the page is actually from the company, before entering sensitive account details. For instance, fake pages from Google, might be able to spoof the design, but the url is always off. A url like google-account-india followed by dot com is likely to be fake. Or a link, which misspells Google or Apple is likely a phishing attempt.

Users must double check the link before entering any sensitive information such as passwords, account name, bank account details, even birthdays and addresses as these can be used to steal personal information and later take over the account.

What is Google’s Advanced Protection?

Google has an Advanced Protection program, which is aimed at those who are more likely to be targeted with phishing. This is for journalists, activists, business leaders, and political campaign teams who are more vulnerable to phishing attempts. This goes beyond the two-step verification program.

Google requires that the user has a physical Security Key in addition to their password in order to sign in to their account. Google says the advantage here is that even if the user falls for a phishing attack that discloses their username and password, the hacker can’t access the account without one of the physical Security Keys.

In order to enroll, users are recommended to purchase two Security Keys. One is wireless-enabled key to act as the main key, and one is the backup key in case someone loses the first physical key.

Once you enroll in this other authentication factors such as codes sent via SMS or the Google Authenticator app will no longer work.

Google sells its Titan Security Key on its Play Store in the US, and there are also security keys sold by third-party companies, which are compatible with Google and other accounts. The keys can then be added to your Google account, and every time you need to log into a new device or phone, the key will be needed to allow access.