On the afternoon of May 3rd, 2017, Google users started to see requests to edit a Google Doc from their contacts. Some of these were business contacts, schools, even friends. Some seemed strange, other seemed like a completely legitimate request.
In reality, the emails were part of an elaborate phishing scam intended to compromise user’s Google accounts and gain access to their personal, and even financial, information. With that kind of access from a corporate account, hackers could seriously compromise the security of an organization.
The scariest part of this particular issue, though, is that it depended completely on the end user to catch it and thwart it.
What the Google Phishing Attack Looked Like
The phishing scheme was innovative.
Users received an email from one of their contacts, requesting they edit a Google document. This is something that happens, for some of us, several times a day. It’s nothing out of the ordinary, and certainly nothing that would raise an alarm.
Opening the email, there was an “Open in Docs” button. Clicking on that took users to an app authorization page, asking for the user to grant permissions to the application Google Docs. The app asked permission to read, send, delete, and manage your email, as well as manage your contacts.
By clicking allow, the app would then have access to all of your information in your inbox and potentially your documents. Using those permissions, the application then emailed the same request to your contacts.
Google caught the scam very quickly, and it’s estimated that only about 0.1% of Google users were affected by the hack. But 0.1% Google users translates, roughly, to 1 million accounts that were compromised.
The really devious and innovative piece of this was that the call was coming from inside the house – or rather, the app was coming from inside of Google.
How the Attack Worked
The concerning piece of this particular phishing scheme was that it didn’t come from fake websites or malware. It used Google’s own system against it.
The application requesting permission was a genuine, 3rd party application. It worked within Google system of granting apps access to your information when you authorize them to do so by using OAuth for authentication.
Think about any number of apps that you have. How often do you click the “Log me in with a Google account”, or, “Log me in with a Facebook account”, and so on? Instead of creating a login and password for each app you use, you use a token from one of these services to grant permission. It’s convenient and completely bypasses two-factor authentication because you have already authenticated with the original service, in this case, Google.
The twist, in this case, is that the hackers developed a 3rd party app and asked for permission to access account information, but tricked users by naming the app something that looked legitimate. The app was named Google Docs, and the permissions request was coming from Google.
There were at least 3 flags that could have alerted users to the false nature of the request.
The first was the email address the request came from. Even though the app was using the compromised account’s contact list, the email it came from was [email protected][.]com.
The second required a more savvy user’s eye to catch. On the app permissions page, you can check the title for the developer information. That information made it clear that the permissions would direct the user off of Google’s domain, to googledocs.docscloud.info.
Lastly, if you have the Google Docs app already installed on your mobile device, you’ve probably noted that you received an alert whenever a request to edit or comments have been made on a doc you have permissions to. When the phishing email came in, there was no corresponding alert through the legitimate Google Docs app.
Google’s Fix is Only the Start for Enterprise Security
Google rapidly shut down the accounts and application at the root of the problem, and while one million users is a lot, without a rapid response from the company it could have been a significantly more.
In addition, Google has already launched a new service for Android users that flags suspicious links. You can still proceed to the link, and can even report a link as legitimate. But Google does try and warn you of links it thinks are suspicious.
Knowing there are many companies using Google’s professional services for email and SaaS based business applications, it’s important to go beyond the steps that Google has taken to protect its users so that you can protect your own organization.
For years we’ve taught users in corporate security training to look at the URL of a link and to not enter personal information, including passwords, into web pages that don’t seem legitimate.
But attacks like yesterday’s requires a whole new set of training to protect corporate assets from the effects of phishing scams.
Training users to be wary, and suspicious, of anything asking for permissions to their accounts and contacts is a good start. Teach them to look for inconsistencies, like the mobile alert when a document is shared through Google Docs versus the lack of an alert during yesterday’s incident. They should also be made aware of the ways in which they can validate the legitimacy of an application, such as verifying the developer information before granting permissions.
But most of all, it’s important to educate your users to be careful and alert. As quickly as companies are recovering from attacks, hackers are finding new and seemingly legitimate ways to get a user’s information.
The attack on Google users yesterday was a first step in gaining a foothold to launch deeper and more sophisticated attacks, and the damage that can be done to a corporation is astronomical. A single user – if it’s the wrong one – can end up giving access to outside forces to your corporate secrets, data, and systems. Training users to stay ahead and mindful of these kinds of attacks is the best way to prevent a significant breach in security.