Overview

• Google has confirmed a renewed surge in Gmail attacks driven by sophisticated phishing and infostealer malware that harvest passwords and authentication tokens.
• Hackers are cloning Google’s ‘suspicious sign-in prevented’ alerts and fake voicemail notifications to redirect users to pixel-perfect login clones hosted on legitimate-seeming domains.
• Recent campaigns capture not only passwords but SMS and voice verification codes, authenticator and backup tokens, cookies and session credentials to bypass standard two-step verification.
• Google advises users to never click links in unexpected emails, to review recent security events in their account and to adopt passkeys or non-SMS verification methods.
• In response, Google has released Device Bound Session Credentials in public beta and is building a Shared Signals Framework to detect and block token theft across platforms.