[WGH]

Security news from the Malwarebytes April Newsletter, this is actually a pretty amazing social engineering phishing attack to to get access to all the information stored in your Google account.

Read more here:
https://www.malwarebytes.com/blog/news/2025/04/all-gmail-users-at-risk-by-clever-replay-attack

All Gmail users at risk from clever replay attack

Cybercriminals are abusing Google’s infrastructure, creating emails that appear to come from Google in order to persuade people into handing over their Google account credentials.

Your Google credentials are coveted prey, because they give access to core Google services like Gmail, Google Drive, Google Photos, Google Calendar, Google Contacts, Google Maps, Google Play, and YouTube, but also any third-party apps and services you have chosen to log in with your Google account.

A URL in the official looking Google support email points to a sites.google.com page that looked like an exact copy of the official Google support portal. The fake Google support page then asks for your username and password.


How to avoid scams like this

• Don’t follow links in unsolicited emails or on unexpected websites
• Carefully look at the email headers when you receive an unexpected mail
• Verify the legitimacy of such emails through another, independent method
• Don’t use your Google account (or Facebook for that matter) to log in at other sites and services. Instead create an account on the service itself.

[FullRangeMan]

I would suggest dont use any goo account or service, instead use small email providers, also dont use passwords manager.

[WGH]

... also dont use passwords manager.

A more accurate statement would be Don't use an online or browser password manager, they all make me nervous. What could possibly go wrong?

I use and recommend KeePass, a free, open source, light-weight and easy-to-use password manager. Nothing is stored in the cloud, all passwords are in an encrypted data file in my computer. I generate a random 20 character password for every site that requires registration, that way if one site gets hacked only one password is stolen and it doesn't work anywhere else.

https://keepass.info/

Using KeePass is a simple copy and paste once unlocked using a master password. The data file with the passwords is encrypted, forget your master password and all your passwords are gone forever.

There is also a KeePass Android app so I can access all my passwords from my phone by storing the portable password data file on Google Drive, since both Google Drive and the database file are encrypted using the best and most secure encryption algorithms currently known (AES-256, ChaCha20 and Twofish) I'm not concerned about theft. The Android KeePass app is bio-locked, I use my fingerprint to unlock it.

[newzooreview]

so I can access all my passwords from my phone by storing the portable password data file on Google Drive, …

1Password works on the same principle: you hold the only key to the encrypted password database file. Even if someone hacked into 1Password's servers and took your password database, they can't do anything with it.

[dspringham]

Is keepass available for Mac OS?

[newzooreview]

It's built for Windows, but there are "unofficial ports" for iOS, MacOS, Android, and others.

https://keepass.info/download.html

[WGH]

Is keepass available for Mac OS?

It looks like the original KeePass Mac development stalled so probably not.

The KeePass download page has a couple of alternatives

https://keepass.info/download.html

[Doublej]

KeepassXC is supported on macOS.

https://keepassxc.org/