UPDATE: Google has released an official response to the phishing scam incident and taken steps to disable it including blocking the originating accounts and deactivating the app’s API credentials.

Talos Security posted a very in-depth analysis of the attack a short time ago that is worth the read if you’re a “techy” like me.

Original Post:

An email arrives in your inbox with the subject “Arlene Smith has shared a document on Google Docs with you.”  The email gives you a familiar Google link to open the document in Docs.  Well, if you clicked it and clicked “Allow” on the next screen, you fell for a phishing scam.  And soon you’ll likely be hearing from your colleagues, friends and family about the strange email they got from you.

If you fell for this attack or are unsure, quickly go to https://myaccount.google.com/u/1/permissions   and disable the app named “Google Docs” (no longer necessary as per Google’s statement):

The real “Google Docs” does not need to ask permission this way because it always has access by default.  While you are at it, take some time and clean up your permissions by removing any apps you do not recognize.

How does it work?

Phishing attacks are fairly common and we’ve all come to recognize those spam emails asking us to update or check our information.  Well people fall for them pretty frequently. They click the link in the email and proceed to login at what appears to be a legitimate site unknowingly sharing their credentials with hackers.  Most common anti-phishing techniques/strategies rely on this fairly straightforward attempt to steal your information.  Generally there are red flags like an unknown sender, poor spelling/grammar and/or a strange website address.  Savvy users will usually sense something amiss and disregard the email (Gmail even warns users when an email appears suspicious), but unfortunately, many will not and these types of attacks have become gateways for hackers to spread ransomware and/or steal (and possibly disseminate) valuable information (i.e., the DNC, John Podesta hacks). They are self-perpetuating attacks as they use a compromised users contacts to gain access to others potentially traversing your entire organizational structure.

However, this particular campaign was significantly different in that it used Google’s open authentication system for developers (OAuth) to trick users into thinking a legitimate Google app (Docs) was requesting access to their email and contacts.  The creator cleverly named the app “Google Docs” and apparently Google did not have security measures in place to catch it.  If you clicked the link in the email, it took you to a legitimate Google page requesting access to your account:

This is a very common prompt that you will get whenever using an app for the first time or when an app’s permissions have changed.  However, upon closer inspection (clicking the highlighted “Google Docs” name), you can view the Developer info and that it is not an official Google app:

This information should be featured more prominently on the permission prompt and not hidden behind a link.  Hopefully, Google will address the flaw it exposed to prevent similar attacks in the future.    In the end these types of attacks can’t be stopped completely but companies and organizations can take steps to mitigate and prevent them as much as possible through a combination of security measures, awareness and education.

Here are some steps you can take right now to prevent most phishing attacks:

  • Enable Two-Factor/Multi-Factor authentication for your users and require it (where possible).
  • Reset passwords every 90-days and enforce complexity/uniqueness requirements.
  • Strengthen spam protection in email system.
  • Add an SPF record to your domain and enable DKIM/DMARC protection to prevent spoofing.
  • Use a white-list in your email system to allow legitimate sources of email for your domain and block all others.
  • Ensure end-user systems are running updated anti-virus software with the latest signatures.
  • Implement email antivirus/malware scanning.
  • Strip certain types of attachments from emails such as archives (.zip, .rar, .7zip, .tar, etc.).

How are you safe-guarding your data?  Contact us today and we’ll work with you to devise an education program relevant to your company’s needs.

Comments

comments

Categories Cybersecurity
Tags , , , , ,