- Hackers misuse Google Tasks to deliver phishing emails
- Fake tasks trigger legitimate Google messages and bypass spam filters
- Victims see a trusted Google domain, but links lead to credential-stealing pages disguised as login screens
Hackers exploit Google’s to-do service to launch phishing attacks and bypass spam email filters.
Google Tasks is a simple task management app that comes as part of its Workspace suite that helps users organize and track task lists and integrate them with Gmail, Google Calendar, and other Google services.
But a new Kaspersky report has warned that cybercriminals have started creating fake jobs and assigning them to people by adding their email addresses. When this happens, Google automatically sends a notification to the email added in the task, bypassing all email protections and landing directly in the victim’s inbox.
Counter the threat
When the victim opens the email, they will see that it came from a legitimate Google domain and that it follows the usual corporate email format. However, in the task description there is a link that leads to a malicious landing page.
The landing page is designed to look like the regular Google login page, and people who click on it – especially those who are busy – most likely won’t see it as anything out of the ordinary.
Those who try to log in this way will give their credentials to the attackers, who can then take over their entire Google account and all the data contained there.
This is not the first and certainly will not be the last legitimate service to be abused in phishing campaigns. Cybercriminals used to do the same with Calendar. By setting up fake meetings and sending notifications to people, they were able to abuse legitimate domains to bypass filters and land emails in inboxes.
To counter this and similar threats, Kaspersky advises users to be wary of all incoming e-mail messages, regardless of the sender’s address, to carefully examine all URLs before clicking, and to warn against calling phone numbers in these e-mails.
“If you need to call support for a particular service, it is best to find the phone number on the official website of that service,” the researchers emphasized.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
