- Hackers abuse Google Tasks to send phishing emails
- Fake tasks trigger legitimate Google notifications, bypassing spam filters
- Victims see a trusted Google domain, but the links lead to credential-stealing pages disguised as login screens
Hackers are exploiting Google’s Tasks service to launch phishing attacks and bypass spam filters.
Google Tasks is a simple task management app that is part of its Workspace suite that helps users organize and track to-do lists and integrate them with Gmail, Google Calendar, and other Google services.
But a new report from Kaspersky warns that cybercriminals have started creating fake tasks and assigning them to people by adding their email addresses. When that happens, Google automatically sends a notification to the email added in the task, bypassing all email protections and landing directly in the victim’s inbox.
Counter the threat
When the victim opens the email, they will see that it comes from a legitimate Google domain and follows the company’s usual email format. However, in the task description there is a link that leads to a malicious landing page.
The home page is designed to look like the normal Google login page, and people who click on it, especially those in a hurry, probably won’t see it as anything unusual.
Those who try to log in this way will transmit their credentials to attackers, who will then be able to take over your entire Google account and all the data found there.
This is not the first and definitely will not be the last legitimate service to be abused in phishing campaigns. Cybercriminals used to do the same thing with Calendar. By hosting fake meetings and sending notifications to people, they were able to abuse legitimate domains to bypass filters and send the emails to inboxes.
To counter this and similar threats, Kaspersky recommends users be wary of all incoming email messages, regardless of the sender address, carefully inspect all URLs before clicking, and warns against calling phone numbers in these emails.
“If you need to call the support of a certain service, it is best to look up the phone number on the official website of that service,” the researchers stressed.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
