Latest news with #emailattack
Forbes
19-07-2025
- Forbes
Delete Any Emails That Include These Images On Your Phone Or PC
You will not see this attack. getty Republished on July 19 with new analysis into this dangerous image email attack. Here we go again. There's a fast growing threat in your inbox that's hard to detect — even for security software on your PC. This has 'seemingly come out of nowhere,' but you need to be aware. And it means deleting a raft of incoming emails. The new warning comes courtesy of Ontinue , which says 'threat actors are increasingly leveraging Scalable Vector Graphics (SVG) files as a delivery vector for JavaScript-based redirect attacks.' Plenty of these images, 'commonly treated as harmless' contain 'embedded script elements' that lead to browser redirects. And that's a huge risk. While these images might be .SVG attachments, as we have seen before, they could also be links to external images pulled into the email. And the campaign also relies on spoofed domains and email lures to trick users into opening and engaging. Forbes Apple's Next iPhone Upgrade May Be Bad News For Google By Zak Doffman As Sophos explains, the SVG file format 'is designed as a method to draw resizable, vector-based images on a computer. By default, SVG files open in the default browser on Windows computers. But SVG files are not just composed of binary data, like the more familiar JPEG, PNG, or BMP file formats. SVG files contain text instructions in an XML format for drawing their pictures in a browser window.' VIPRE warns that 'up until this point, SVGs have been recognized by email security tools as generally benign image files, which is why attackers are now having so much success hiding their nefarious exploits in them.' Looking at these latest attacks, SlashNext's J Stephen Kowski told me 'when you open or preview these 'images,' they can secretly redirect your browser to dangerous websites without you knowing.' That means you need to be 'extra careful' with images. Because these attackers leverage spoofed domains and senders to trick you, it isn't as easy as just avoiding emails from unknown senders. Instead, you should delete any email with an .SVG attachment unless you're expecting it. And you should allow your browser to block external images until you're certain of their origin. Kowski says these emails will also likely be 'pushy about viewing the image right away,' and while 'your email provider's built-in security features, such as spam filtering and safe attachments, can help, they're not perfect against these newer tricks.' Jason Soroko from Sectigo goes even further, warning security teams to 'treat every inbound SVG as a potential executable,' as the surge in such attacks continues. The real threat though lies in user complacency. SVG attacks, VIPRE says, are now tussling with PDFs to become 'attackers' favorite attachments of choice.' These are only images, most users assume, and so no click-throughs, no harm. Forbes Apple Warning—Do Not Make These Calls On Your iPhone By Zak Doffman Bambenek Consulting's John Bambenek says this is 'a fresh spin on the technique of using image files for delivering suspect content, in this case, malicious PDFs. The attackers have to rely on complacency ('it's only an image, it doesn't execute code') to lull organizations into accepting this content and getting it on the inside of a network.' Ontinue says 'the observed targets of this campaign fall into B2B Service Providers, including the ones handling valuable Corporate Data regularly, including Financial and Employee data, Utilities, Software-as-a-Service providers that are great social engineering targets as they expect to receive a high volume of emails.' The payload itself 'is delivered via an .SVG file that contains a JavaScript block hidden within a CDATA section. The embedded code uses a static XOR key to decrypt a secondary payload at runtime. This decoded script reconstructs and executes a redirect command using the Function() constructor.' And the team warns 'this technique demonstrates how adversaries are shifting away from executable payloads and towards smuggling (HTML and now SVG) techniques. By embedding script logic into image formats and using trusted browser functions, the attack chain avoids triggering traditional behavioral or signature-based alerts.' The emails containing the attachments or links will be simple, 'using a minimal format to avoid detection and provoke curiosity or interaction.' Hijacking poorly protected domains or spoofing others with special characters enhances the lure. 'While this report and research is valuable to enterprises,' Bambenek says, 'and the search valuable for hunt teams, organizations without a security staff or end consumers will remain vulnerable to conventional cybercrime with this technique.' 'This SVG attack vector is exactly what we've been tracking,' Kowski warns. 'Attackers have exhausted much of the text-based social engineering playbook over the last ten years and are now getting creative with content payloads to execute malicious code.' And this is easily done because 'attackers can easily spoof trusted senders, making recipients more likely to open what appears to be an innocent image file.' Forbes Do Not Use This WiFi Setting On Your iPhone Or Android Phone By Zak Doffman 'The beauty of SVG files from an attacker's perspective,' he told me, 'is that they look like harmless images but can contain embedded JavaScript that runs the moment someone opens the file in a browser, bypassing traditional email security that focuses on executable attachments.' Which means users need a new defensive playbook. And so the advice is just as simple. If you're not expecting an email which includes image links or .SVG attachments, delete them from your inbox. 'This campaign highlights a creative pivot in attacker methodology,' the team says, 'using benign file formats to hide malicious logic and evade established detection controls.' Which is another way of saying that you're your own best defense.
Daily Mail
16-07-2025
- Daily Mail
Warning to all Gmail users over new type of attack
A new type of email attack is quietly targeting 1.8 billion Gmail users without them ever noticing. Hackers are using Google Gemini, the AI built-in tool in Gmail and Workspace, to trick users into handing over their credentials. Cybersecurity experts found that bad actors are sending emails with hidden instructions that prompt Gemini to generate fake phishing warnings, tricking users into sharing their account password or visiting malicious sites. These emails are crafted to appear urgent and sometimes from a business. By setting the font size to zero and the text color to white, attackers can insert prompts invisible to users but actionable by Gemini. Marco Figueroa, GenAI bounty manager, demonstrated how such a malicious prompt could falsely alert users that their email account has been compromised, urging them to call a fake 'Google support' phone number provided in to resolve the issue. To counter these prompt injection attacks, experts recommend that companies configure email clients to detect and neutralize hidden content in message bodies. Additionally, implementing post-processing filters to scan inboxes for suspicious elements like 'urgent messages,' URLs, or phone numbers could bolster defenses against such threats. The trick was uncovered after research, led by Mozilla's 0Din security team, showed proof of one of the attacks last week. The report demonstrated how Gemini could be fooled into displaying a fake security alert, one that claimed the user's password had been compromised. It looked real but was entirely built by hackers to steal information. The trick works by embedding the prompt in white text that blends into the email background. So when someone clicks 'summarize this email,' Gemini processes the hidden message, not just the visible text. This type of manipulation, called 'indirect prompt injection,' takes advantage of AI's inability to tell the difference between a user's question and a hacker's hidden message. According to IBM, AI cannot tell the difference, as they both look like text, so AI follows whichever comes first, even if it is malicious. Security firms like Hidden Layer have shown how an attacker could craft a completely normal-looking message but fill it with hidden codes and URLs, tools designed to fool AI. In one of the cases, hackers sent an email that looked like a calendar invite. But inside the email, hidden commands told Gemini to warn the user about a fake password breach, tricking them into clicking a malicious link. Google admitted this kind of attack has been a problem since 2024 and said it added new safety tools to stop it, but the trick appears to still be working. In one case, a major security flaw reported to Google showed how attackers could hide fake instructions inside emails that trick Gemini into doing things users never asked for. Instead of fixing the issue, Google marked the report as 'won't fix,' meaning they believe Gemini is working the way it is supposed to. That decision shocked some security experts, because it basically means Google sees this behavior, not recognizing hidden instructions, as expected, not broken. This means that the door is still open for hackers to sneak in commands that the AI might follow without question. Experts are concerned as if the AI cannot tell the difference between a real message and a hidden attack, and Google would not fix the behavior, then the risk remains active. AI is getting more popular for quick decisions and email summarizer. It is not just Gmail as the risk spreads as AI is incorporated into Google Docs, Calendar, and outside apps. Cybersecurity experts say some of these attacks are even being created and carried out by other AI systems, not just human hackers. Google has reminded users that it does not issue security alerts through Gemini summaries. So if a summary tells you your password is at risk or gives you a link to click, treat it as suspicious and delete the email. In a recent blog, Google said that Gemini now ask for confirmation before doing anything risky, like sending an email or deleting something. That extra step gives users a chance to stop the action, even if the AI was tricked. Google also displays a yellow banner if it detects and blocks an attack. If the system finds a suspicious link in a summary, it removes it and replaces it with a safety alert. But some problems still have not been solved.
Daily Mail
16-07-2025
- Daily Mail
Urgent warning to all 1.8b Gmail users over 'new wave of threats' stealing accounts… Do this NOW
A new type of email attack is quietly targeting 1.8 billion Gmail users without them ever noticing. Hackers are using Google Gemini, the AI built-in tool in Gmail and Workspace, to trick users into handing over their credentials. Cybersecurity experts found that bad actors are sending emails with hidden instructions that prompt Gemini to generate fake phishing warnings, tricking users into sharing their account password or visiting malicious sites. These emails are crafted to appear urgent and sometimes from a business. By setting the font size to zero and the text color to white, attackers can insert prompts invisible to users but actionable by Gemini. Marco Figueroa, GenAI bounty manager, demonstrated how such a malicious prompt could falsely alert users that their email account has been compromised, urging them to call a fake 'Google support' phone number provided in to resolve the issue. To counter these prompt injection attacks, experts recommend that companies configure email clients to detect and neutralize hidden content in message bodies. Additionally, implementing post-processing filters to scan inboxes for suspicious elements like 'urgent messages,' URLs, or phone numbers could bolster defenses against such threats. The trick was uncovered after research, led by Mozilla's 0Din security team, showed proof of one of the attacks last week. The report demonstrated how Gemini could be fooled into displaying a fake security alert, one that claimed the user's password had been compromised. It looked real but was entirely built by hackers to steal information. The trick works by embedding the prompt in white text that blends into the email background. So when someone clicks 'summarize this email,' Gemini processes the hidden message, not just the visible text. This type of manipulation, called 'indirect prompt injection,' takes advantage of AI's inability to tell the difference between a user's question and a hacker's hidden message. According to IBM, AI cannot tell the difference, as they both look like text, so AI follows whichever comes first, even if it is malicious. Security firms like Hidden Layer have shown how an attacker could craft a completely normal-looking message but fill it with hidden codes and URLs, tools designed to fool AI. In one of the cases, hackers sent an email that looked like a calendar invite. But inside the email, hidden commands told Gemini to warn the user about a fake password breach, tricking them into clicking a malicious link. Google admitted this kind of attack has been a problem since 2024 and said it added new safety tools to stop it, but the trick appears to still be working. To counter these prompt injection attacks, experts recommend that companies configure email clients to detect and neutralize hidden content in message bodies In one case, a major security flaw reported to Google showed how attackers could hide fake instructions inside emails that trick Gemini into doing things users never asked for. Instead of fixing the issue, Google marked the report as 'won't fix,' meaning they believe Gemini is working the way it is supposed to. That decision shocked some security experts, because it basically means Google sees this behavior, not recognizing hidden instructions, as expected, not broken. This means that the door is still open for hackers to sneak in commands that the AI might follow without question. Experts are concerned as if the AI cannot tell the difference between a real message and a hidden attack, and Google would not fix the behavior, then the risk remains active. AI is getting more popular for quick decisions and email summarizer. It is not just Gmail as the risk spreads as AI is incorporated into Google Docs, Calendar, and outside apps. Cybersecurity experts say some of these attacks are even being created and carried out by other AI systems, not just human hackers. Google has reminded users that it does not issue security alerts through Gemini summaries. So if a summary tells you your password is at risk or gives you a link to click, treat it as suspicious and delete the email. In a recent blog, Google said that Gemini now ask for confirmation before doing anything risky, like sending an email or deleting something. That extra step gives users a chance to stop the action, even if the AI was tricked. Google also displays a yellow banner if it detects and blocks an attack. If the system finds a suspicious link in a summary, it removes it and replaces it with a safety alert. But some problems still have not been solved.
The Verge
16-06-2025
- Business
- The Verge
Washington Post resets logins after several journalists' email accounts were hacked.
The Wall Street Journal reports that on Sunday, an internal memo from executive editor Matt Murray notified employees about an attack on on its email system, possibly by a foreign government. It also cites unnamed sources saying that the Microsoft accounts targeted included reporters on the national security and economic policy beats including some who write about China. CNN says the outlet reset all employee logins on Friday, that Murray said they don't believe it has had any impact on customers.
