DIGITAL LIFE

Email Security Alert—Now Avatars Can Steal Your Passwords

Combine credential theft, with a billion passwords stolen by malware, and increasingly sophisticated phishing attacks often driven by AI, and the number one security threat of our time is laid bare: credential harvesting by hackers using social engineering techniques. A newly published report has revealed how this threat has just gotten even more complex, with avatars and seemingly trusted apps being used in tandem to trick users out of their passwords. Here’s everything you need to know and do.

The New Password Harvesting Threat That Employs Avatars...“Imagine sipping your morning coffee,” Stephen Kowski, the field chief technology officer at SlashNext said, “scrolling through your inbox when a seemingly innocent ProtonMail message catches your eye.” Now imagine that this isn’t your typical email but rather a password-harvesting attack. Yeah, but I use ProtonMail for the enhanced security it offers, and being a security-minded user, I wouldn’t fall for that. Or would I? Not so fast, according to Kowski, hackers are leveraging a diverse array of cloud applications to steal passwords, including Gravatar. This is important as Gravatar manages avatars across the web, and, Kowski warned, “it’s become a prime target for cybercriminals.” How so? By exploiting Gravatar’s Profiles-as-a-Service functionality, Kowski explained, attackers are creating convincing fake profiles that mimic legitimate services and, ultimately, trick users into giving up their passwords.

Brand impersonation as a phishing tactic is hardly new, and there are plenty of protections against it, however, the SlashNext research does reveal a dangerous new twist to be aware of. “What sets modern credential harvesting apart is using unique, customized impersonations,” Kowski warned, as the use of generic, and so easier to spot, phishing tactics wane. Instead, attackers are tailoring the fake profiles in use to better resemble the service they are mimicking. This is often done, Kowski said, through services that are not commonly known or protected against, such as Gravatar.

Avatars Under Attack: Gravatar Takes Your Security Extremely Seriously...I reached out to Gravatar, which wanted to emphasize that it takes security extremely seriously and is able to confirm that when any abuse is reported, a dedicated team takes it down quickly and swiftly.

“Our unique Verified Services feature – something not found on other platforms – requires users to prove ownership of linked accounts through OAuth or similar authentication methods. This helps profile visitors to better verify if they can trust a profile and makes it more difficult for bad actors to impersonate legitimate services,” a Gravatar spokesperson said.

“We actively monitor for and remove fraudulent profiles. We strongly encourage users to report suspicious activity using the Report Abuse link on any profile(https://support.gravatar.com/report-abuse/). Our team investigates all reports promptly as we work to maintain a trustworthy platform,” the Gravatar statement concluded.

Mitigating Phishing Attacks Involving Avatars For Brand Impersonation...The SlashNext(https://slashnext.com/blog/is-that-really-protonmail-new-credential-harvesting-threats-targeting-cloud-apps/) report recommends that users apply the following mitigations to help prevent such phishing attacks employing avatars and brand impersonation from being successful:

Verify URLs: Always check the URL of the page you're visiting. Ensure it matches the official website of the service you're using.

Be cautious with emails: If you receive unexpected emails requesting personal information, verify the sender's legitimacy before clicking any links.

Use strong, unique passwords: Implementing strong, unique passwords for each of your accounts can prevent attackers from accessing multiple services if one password is compromised.

Enable two-factor authenticatio: Adding an extra layer of security makes it harder for attackers to gain access, even if they have your password.

“By understanding the tactics used in credential harvesting and adopting robust security measures,” Kowski concluded, “you can protect yourself and your valuable information from falling into the wrong hands.” And that’s good advice when dealing with any phishing threat, whether it uses avatars or not.

Davey Winder