Tech giant Google is going toe-to-toe with phishers with its new Chrome browser extension. With all the high-profile data breaches, this could add another layer of security for end-users who are falling for social engineering tactics.
Social engineering strategies trick users into clicking on links that contain malicious software downloads or otherwise send them to fake sites that entice them to enter personal information in exchange for some type of reward or access. Fake banking sites are prime examples.
Google’s new tool is called Password Alert. Here’s how it works: If you enter your Gmail or Google for Work password into anywhere other than accounts.google.com, you’ll receive an alert, so you can change your password if needed.
Google explains that Password Alert also tries to detect fake Google sign-in pages to alert you before you’ve typed in your password by checking the HTML of every page you visit to see if it’s impersonating a Google sign-in page.
The Phishing Realities
Google is on to something with its Password Alert. According to the McAfee Labs, phishing continues to be an effective tactic for infiltrating enterprise networks. A September 2014 study revealed 80 percent of participants failed to detect at least one of seven phishing e-mails.
“One of the great challenges we face today is upgrading the Internet’s core technologies to better suit the volume and sensitivity of traffic it now bears,” said Vincent Weafer, senior vice president for McAfee Labs. “Every aspect of the trust chain has been broken in the last few years -- from passwords to OpenSSL public key encryption and most recently USB security. The infrastructure that we so heavily rely on depends on technology that hasn’t kept pace with change and no longer meets today’s demands.”
Symantec’s 2015 Internet Security Threat Report pointed to an 8 percent increase in highly-targeted spearphishing attacks in 2014. What made last year particularly interesting was the precision of these attacks, which used 20 percent fewer e-mails to successfully reach their targets and incorporated more drive-by malware downloads and other Web-based exploits, Symantec noted.
“Attackers don’t need to break down the door to a company’s network when the keys are readily available,” said Kevin Haley, director of Symantec Security Response. “We’re seeing attackers trick companies into infecting themselves by Trojanizing software updates to common programs and patiently waiting for their targets to download them -- giving attackers unfettered access to the corporate network.”
We asked Graham Cluley, an independent security analyst in the United Kingdom, for his thoughts on Google’s Password Alert. He told us the problem is that it only helps you with your Google password.
“People have many, many more passwords than just their Google one. My recommendation would be to use password management software,” Cluley said.
“If you use a password manager, then when you go to a bogus Web site it won't prompt you to enter your password -- because it doesn't recognize it -- and that can be your warning that something is phishy. And, of course, that works with any password -- not just your Google one.”
Image credit: iStock/Artist's concept.