Google add-on targets spoofed log-in pages

Google unveiled Wednesday an add-on feature for its Chrome browser that will warn users when they enter their Google password on a spoofed log-in page.

The extension, called Password Alert, is meant to counter a highly-effective “phishing” pages that digital thieves use to steal people’s account data. These pages, which skillfully mimic a typical Google Docs or Gmail log-in site, can succeed as much as 45 percent of the time, Google said in a Wednesday blog post.

{mosads}“If you type your password here, attackers could steal it and gain access to your Google Account — and you may not even know it,” the company said.

From a Google account, hackers can pilfer data that gets them into bank or credit card accounts.

These fake log-in pages are so realistic that even tech-savvy users can’t always spot the difference, Google said.

“Right now, it’s left up to the user to decide whether or not to enter their password,” Drew Hintz, the lead engineer for Password Alert, told Reuters. “We expect users to know the difference between these sites, and that’s an unreasonable request to make of users.”

Google insisted the Password Alert will not create a database of user passwords, a potential privacy concern. Chrome will only remember a “scrambled” version of the login credential.

If Chrome recognizes a user entering that scrambled information on a non-Google sign-in page, it will immediately send a message urging the user to reset the password.

Phishing is a ubiquitous hacker tactic. In addition to spoofed log-in pages, phishing also takes the form of fake emails trying to lure recipients into giving up data or clicking on a malicious link.

Google estimates that 2 percent of all emails that pass through its email service are designed to steal passwords.