Dangerous Google & Apple Phishing Scams

There have been two very convincing scams recently which have tricked users into handing over their Google and Apple accounts – to complete strangers (hackers).

How convincing? I sent out an email message to everyone in our company last Friday (3/21/14) and posted this article (below) to our corporate website in an attempt to warn everyone here about this potential threat. This morning (3/27/14) a co-worker received an email message from one of his customers with the subject “Document”. The message contained a link so my co-worker clicked the link. This took him to a web page with a real google.com address. The page looked like a real Google login page (but it was fake) so he supplied his login information. Once he got signed in the site took him to a random online Google document. It didn’t make any sense so he just dismissed it and closed the page. The second he signed in to the fake page his Google account was taken over by a hacker (or a robot) who then started sending out mass email messages from his compromised account to every email address associated with his account… not just people in his contacts, but everyone in his history (to, cc and from).

Don’t think you can be tricked? Think again.

Please read this article as soon as possible.

I know I have never said this before, but if you get an email message with links from someone which doesn’t seem right… DO NOT CLICK THE LINKS! Instead, call the person or compose a completely new email message and send it to them. Always verify the original message is legitimate before acting on it.

Why? The quick answer: it’s always better to be safe than sorry.

The slightly longer answer:

Millions of people have Google accounts (including @sodpit.com users) which includes Google Drive (formerly Google Docs). Recently Google accounts were compromised by a very clever phishing site. When users clicked the link in their email they were redirected to a REAL Google URL (web address) with a very convincing looking but completely FAKE login page. The problem here is most users will recognize the URL as legitimate (google.com) and never think twice if they see a normal-looking Google login. When the users logged in they were actually sending their Google account login credentials to a hacker… and then it would direct them to a few documents which tricked users into thinking everything was perfectly normal. The email message came with the subject “Document”. Did you receive an email message like this? If you did please let me know (if you are an @sodpit.com user, email me ASAP). If you did get the original message… did you actually click the link to login? If so, please also let me know about this in your email. Supposedly Google has fixed this problem but you should still be cautious. Update 3/27/14: Google LIED and HAS NOT fixed this problem… a co-worker’s account was just compromised today.

Update: Setup Google 2-Step Verification to fully lock down your Google account.

Within a day or two of the Google scam another similar scam popped up and which is now affecting Apple accounts. Did you receive a fake offer from Apple in an email message which later redirected you to EA.com? If you did please send an email message and let me know. If you did get the original message… did you actually click the link to login? If so, please also let me know about this in your email. Apple hasn’t responded to this problem yet.

Avoid and report Google scams

Be careful out there!