Recently in the news there has been concern over whether Google is doing enough to keep your email secure. Concern has arisen over the access third-party developers and apps have to your Google account. There are many apps which link to your Google account. During the installation process you set the level of access you’re prepared to give the app. If during the installation of any of these apps you’ve been asked for access to your email, and you’ve agreed to this your email may have been read.
So what does it mean to read an email? In giving an app access to your email it is highly unlikely that people envisage another human physically reading through the contents of their emails and viewing their private email conversations. But this is exactly what you are agreeing to. This is not to say all apps will do so, but they have permission to and may do so at some point. The people with permission to read your email are not Google employees, but third parties such as developers entrusted by Google (and yourself).
Google claims to vet developers and their apps via a stringent, multi-step process. But as Facebook can attest to, once a third party has access to your data it’s difficult to control how they use it. This is not the first time concerns have been raised over Google’s commitment to privacy, with the discovery last year that the Google Home Mini was inadvertently spying on users due to a hardware flaw.
As a safety precaution we advise against giving third-party apps permission to read your email. If you’re concerned you may have given a third-party app access to read your email, you can check using Google Security Checkup (link opens in new window) and make adjustments if necessary.
It’s been confirmed, Google has announced that in July 2018theywill begin to identify all websites that do not have SSL certificates as “not secure”. Have you checked whether your website is displaying as secure?
You can check whether your website by seeing if your website if your website address bar contains HTTPS. As per Google’s Blog posts, “A secure web is here to stay” and “Evolving Chrome’s security indicators”, Google Chrome will be identifying websites without HTTPS in their website address as “not secure” in version 68 due out in the next month. It is expected that the other browsers, Mozilla Firefox and Microsoft Edge, will also follow suit in due course.
With only a few weeks until these changes occur, we strongly suggest you ensure that your website has an SSL certificate so it will continue to be displayed as secure. If your website address doesn’t contain HTTPS then your website server will require the installation of an SSL certificate and changes will need to be made to the website itself.
CyberGuru’s newer website hosting plans can take advantage of an AutoSSL certificate at no cost, however we will need to make some changes to the internal workings of your website for it be compliant. This includes enabling the SSL certificate, updating your website’s internal links to ensure they go to the HTTPS version of the website and testing to making sure your website works as it is intended to.
We are providing a service for both CyberGuru clients and non-CyberGuru clients to perform the required changes on your behalf. In order to do this, we will require access to your website’s cPanel account as well as WordPress account. We will be aiming to complete all SSL/HTTPS website changes before July, however we will be working on a “first come, first served” basis depending on popularity of this service.
Please contact us for a quote on how we can make your website SSL/HTTPS compliant.
When we have discussed phishing in previous articles, we mention they often come from financial or corporate organisations such as PayPal, Apple or Telstra. However, we have recently become aware of a number of new types of phishing scams, targeting those who use online file sharing, such as Google, OneDrive and Dropbox.
Phishing scams are emails which appear to be coming from a reputable source, but are in fact not from the originating organisation but someone else who is seeking your personal information for malicious purposes. They not new, but are become increasingly sophisticated due to the advent of online file hosting that can easily enable files to be stored and not scanned by usual methods.
The Google Drive or Google Docs phishing scam comes through via an email, appearing to be from a particular sender you may have received an email from in the past. The subject line is often titled “Financial Documents” or similar. It looks nearly identical with a document being sent from Google Drive, with subtle differences, it also contains a link to open the file, as well as some other information from Google, as can be seen in the screenshot below:
Example of Google Drive phishing email (thumbnail – click image to open larger version)
Example of Google Drive legitimate email (thumbnail – click image to open larger version)
We became aware of several organisations who have been infected by this Google Drive or Google Docs phishing scam. For the purposes of this article, we contacted a number of these organisations to discuss this with those to understand it in more detail. We appreciate the time and honesty of these organisations to find out more (especially once their initial embarrassment passed!). It helped us to understand the issues and what to look for and educate our clients and Blog readers.
The process seems to be:
A user clicks on the link in the email which takes you to Google Drive to log in and download the malicious file. From each of the circumstances that we identified, it appears they were taken advantage of after first downloading and then running a file which accessed their email address book and sends the email to them requesting they download the same file.
Once the malicious file opens, it then accesses address book and sends a similar to email to your contacts, are suggesting they download a file. Further, due to a nature of this file, you may actually unaware of the issue until the emails were returned as undeliverable or from recipients asking why they received a file.
We have also heard of reports of another scam that contains a similar Google Account login page, whereby you ask are asking however it is actually instead takes you to another website and steals your account information.
Further research has identified the same similar Dropbox and OneDrive as well. We recommend that you follow the following tips to protect yourself:
Make sure you always sign-in directly to the service (using Google.com, Dropbox.com or OneDrive.com, don’t use the links contained within the email unless you are sure they are the correct ones.
If you aren’t expecting to receive an attachment, only download or accept files after confirming from the sender that they intended to send you such a file. Instead of replying to the email that is sent, call or text the sender to confirm that they were wanting to send you such a file.
If you do receive an email that is suspicious or not expected, immediately delete the emails from your computer, carefully ensuring you don’t click on any links, you don’t want to share these!
Through our Support solution, CyberGuru can review your computers to ensure there is appropriate security in place, as well as our Training to help you and your staff become aware on how to identify phishing to protect you and your data. Please contact us today for further information.
Google has recently announced that it is making major changes to the mobile search algorithms, providing websites that are “mobile-friendly” (such as phones, tablets and other handheld devices) a high position in its search results.
