Cybersecurity researchers have exposed a dangerous new scam that specifically targets Gmail users by masquerading as an official Google account security tool. The fraudulent operation, discovered by experts at Malwarebytes Labs, involves a malicious website that convincingly imitates Google's legitimate account security check interface.
How the Scam Operates
Attackers are actively directing victims to this deceptive page through multiple channels, including phishing emails, text messages, and malicious pop-up advertisements. These communications falsely claim that a user's Google account requires immediate security verification to prevent unauthorized access.
The Four-Step Deception Process
The fraudulent website guides users through what appears to be a legitimate four-step security enhancement process, but each step is actually designed to compromise user privacy and security.
Step One: Installation of Fake Security Tool
Victims are first prompted to install what seems to be Google's security application, which is actually a Progressive Web App (PWA) that mimics a native Google application. Malwarebytes researchers noted that once installed as a PWA, the browser address bar disappears, creating the illusion of a genuine Google application interface.
Step Two: Notification Permission Request
The site then asks users to enable notifications, claiming this will allow them to receive important security alerts. In reality, these permissions establish a direct communication channel between attackers and the victim's device, enabling ongoing access even when the fake application is closed.
Step Three: Contact Sharing Under False Pretenses
Users are asked to share contacts from their mobile devices, with the scam presenting this action as a protective measure for their contacts. After victims select their contacts, the page displays a confirmation message suggesting the contacts have been secured, but researchers confirmed this sensitive information is transmitted directly to servers controlled by cybercriminals.
Step Four: Location Data Collection
The final step requests access to the user's GPS location, falsely claiming this verification is necessary to confirm the account is being accessed from a trusted location. This permission allows the collection of detailed location data including latitude, longitude, altitude, direction, and movement speed, all of which is sent to the attackers.
Serious Security Implications
Security analysts warn that this malicious tool can intercept one-time verification codes used for two-factor authentication, which are commonly required to access Gmail accounts and other Google services. This capability significantly increases the risk of account compromise.
In some instances, the attack may install additional malicious software capable of recording keystrokes, potentially capturing usernames, passwords, and other confidential information typed on the device. Researchers also noted that once connected, attackers can route arbitrary web requests through the victim's browser as if they were browsing from the victim's own network.
Official Google Security Practices
Malwarebytes researchers emphasized that Google does not conduct security checkups through unsolicited pop-up pages or external websites. The team advised users that legitimate account security tools are accessed exclusively through official Google Account settings at myaccount.google.com.
The cybersecurity experts issued clear guidance for users: "If you receive an unexpected 'security alert' asking you to install software, enable notifications, or share contacts, close the page immediately. These are classic signs of a phishing attempt designed to compromise your personal information and device security."
This sophisticated scam represents a significant escalation in cybercriminal tactics, leveraging users' legitimate security concerns to gain unauthorized access to sensitive personal data and account credentials. Security professionals recommend that users remain vigilant and verify all security communications directly through official Google channels.
