A new phishing scheme exploits a fake Google Meet update page to trick Windows users into granting hackers remote control of their computers.
A recent discovery by cybersecurity researchers has unveiled a sophisticated phishing tactic that targets Windows users through a counterfeit Google Meet update page. This deceptive scheme allows attackers to gain control of victims’ computers without the need for traditional malware or stolen passwords.
The fake update page, designed to resemble an official Google Meet notification, prompts users to click a button labeled “Update now.” However, instead of downloading a legitimate update, this action enrolls the user’s Windows computer in a remote management system controlled by the attackers.
Researchers from Malwarebytes, a cybersecurity firm known for its malware detection and removal software, identified this phishing website. The page employs familiar Google branding and colors, making it appear credible to unsuspecting users. Once a user clicks the “Update now” button, a built-in Windows feature is triggered, leading to a legitimate system window titled “Set up a work or school account.” This window typically appears when an IT department configures a device for an employee.
In this scam, the setup window is pre-filled with information that connects the computer to a remote management server controlled by the attacker. The system points to an online management service hosted on Esper, a legitimate platform used by businesses to manage their devices. If the victim proceeds through the setup process, their computer becomes enrolled in a mobile device management system, granting the attacker the same level of control that a corporate IT department would have over a work laptop.
Security experts note that attackers do not expect all users to complete the enrollment process. Even a small number of successful enrollments can provide enough access to make the campaign worthwhile.
This phishing attack exploits a legitimate Windows feature rather than relying on malware installation. Windows includes a device enrollment feature that allows companies to connect employee computers to a management system. Once a device is enrolled, administrators can remotely control various aspects of that machine. In a typical workplace, this functionality aids IT teams in installing software, enforcing security settings, and managing devices. However, attackers have found a way to trick users into joining their management system.
When users click the fake update button, Windows initiates a built-in enrollment process, which appears legitimate and can bypass many security warnings. If users complete the steps, the attacker effectively becomes the administrator of their computer, enabling them to silently install software, modify system settings, access files, lock screens, or even wipe the device entirely. Additionally, the attacker could install further malware at a later stage. Traditional antivirus tools may not detect any issues, as the operating system itself is executing the actions.
In response to inquiries, a Google spokesperson stated, “These ‘update now’ prompts are not legitimate Google communications. This is a phishing campaign that attempts to trick users into a Windows device enrollment process. Google Meet updates are handled automatically through your browser or the official app. Google will never prompt you to visit a third-party site to enroll a personal device to receive an update.”
To avoid falling victim to such scams, users are advised to exercise caution when encountering messages that prompt updates. It is essential to verify the legitimacy of such requests before proceeding. Major platforms rarely require updates through random web pages; legitimate Google Meet updates occur automatically through the browser or the official app and do not necessitate visiting third-party sites.
Users should always check the URL bar to ensure they are on the official Google Meet site, which is meet.google.com. A genuine update will not attempt to enroll an entire computer or trigger system-level setup screens. If such a prompt appears unexpectedly, it is likely a scam. Instead, users should access the service directly from its official website or app to check for updates.
On a Windows computer, users can navigate to Settings, then Accounts, and look for “Access work or school.” If they see an unfamiliar account or organization listed, especially one they do not recognize, they should disconnect it immediately. This section indicates whether a device has been enrolled in a remote management system.
Cybercriminals often leverage personal information available online to enhance the effectiveness of their phishing attacks. Data removal services can help eliminate personal information from data broker sites, reducing the likelihood of targeted attacks. While this may not prevent this specific phishing tactic, it can make individuals harder targets overall.
Google’s AI protections in Gmail block over 99.9% of spam, phishing, and malware, but scams can still reach users through search results, ads, or links shared outside their inbox. Therefore, employing robust antivirus software with real-time protection can help detect suspicious behavior that may arise after an attacker gains control of a device. Although this phishing attack utilizes legitimate Windows features, security tools can still identify unusual system changes or malicious software installed afterward.
Keeping software up to date is crucial, as updates often include security enhancements that help block new attack methods. Running the latest version of Windows and web browsers reduces the risk of attackers exploiting older system vulnerabilities.
Using a password manager can also enhance security by ensuring that login details are only autofilled on legitimate websites. If users encounter a phishing page masquerading as a service like Google Meet, their password manager will not fill in their information, serving as a warning that something is amiss.
If a Windows system window unexpectedly appears, asking users to set up a work or school account, they should stop immediately. Legitimate setup prompts typically arise when configuring a device or following employer instructions, not from clicking on random websites. If such a window appears without prior expectation, it should be closed immediately.
As cybercrime evolves, attackers increasingly exploit legitimate features embedded within operating systems and cloud services. In this instance, both Windows device enrollment and the management platform used are genuine tools designed for business use, which attackers have redirected toward unsuspecting individuals. This highlights the ease with which powerful enterprise features can be repurposed for malicious purposes in the absence of adequate safeguards.
For further information on this phishing scheme and to stay updated on cybersecurity best practices, visit CyberGuy.com.