Threat Research

Parental Control Flaw Allows Google Account Hacks

Reversinglabs
Parental Control Flaw Allows Google Account Hacks
Researchers found an ongoing campaign that uses Discord lure messages, fake game websites, and Dropbox-hosted executables to steal credentials and hijack Google accounts. Attackers then abuse Google Family Link by changing an account’s age to a minor and assigning a malicious parent, which locks victims out and enables ransom demands. #Discord #GoogleFamilyLink #Dropbox #Netlify

Keypoints

  • Attackers send Discord messages posing as requests to review a game, often from compromised accounts.
  • Victims are redirected to fake game sites that lead to Dropbox links hosting malicious executables.
  • The malware can hijack browser sessions and steal login credentials, enabling account takeover.
  • Attackers abuse Google Family Link by changing a victim’s account age to under 13 and assigning a malicious “parent” account.
  • Once Family Link is established, victims can be locked out of Google account recovery because parental approval is required.
  • The attackers use compromised accounts to demand ransom payments for account return and to prevent data sales on the dark web.
  • Researchers noted that disabling Google’s “Skip password when possible” and using stronger MFA can help reduce takeover risk.

MITRE Techniques

  • [T1566.002 ] Phishing: Spearphishing Link – Victims received Discord messages asking them to click a game-review link that led to a fake website and malicious download (‘links sent in Discord asking for game reviews’).
  • [T1189 ] Drive-by Compromise – The fake game website acted as a lure that redirected users to a Dropbox-hosted executable (‘they are redirected to download a file hosted at a Dropbox link’).
  • [T1105 ] Ingress Tool Transfer – The attackers used Dropbox and fake game download pages to deliver the malicious executable onto victim systems (‘download for a malicious executable’).
  • [T1056.001 ] Input Capture: Keylogging – The malware was described as capable of stealing login credentials and browser session data (‘capacity to hijack browser sessions and steal login credentials’).
  • [T1078 ] Valid Accounts – Stolen account access was used to take over Discord, Steam, and Google accounts (‘take over her Discord account, ran transactions on Steam, and kicked her off of her Google account’).
  • [T1098 ] Account Manipulation – Attackers altered the victim’s Google account age to force Family Link supervision and gain control (‘altered Christina’s account’s age to turn her from an adult into a minor’).
  • [T1110 ] Brute Force – No direct brute force was shown; not applicable from article content.

Indicators of Compromise

  • [URLs ] Malicious game-lure sites and payload delivery locations – https://hyperionbeta[.]netlify[.]app, https://vampirk-beta[.]netlify[.]app, https://dungeonwarriordemo[.]netlify[.]app, and Dropbox download links for DungeonWarriorDemo.exe / HyperionV2.exe
  • [File names ] Malicious executables delivered through the campaign – DungeonWarriorDemo.exe, HyperionV2.exe
  • [Domains ] Infrastructure used to host fake game pages – netlify[.]app, dropbox[.]com
  • [User accounts / emails ] Research test accounts and victim-related Google accounts – [email protected], [email protected], [email protected]

Read more: https://www.reversinglabs.com/blog/parental-control-flaw-google-account

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint