Security Experts | May 04, 2017

Google Docs Scam

Following the news that one million Google Docs users have been hit by a phishing scam, IT security experts from Vectra Networks, MWR InfoSecurity, Wombat Security, Tripwire, Lastline and OwlDetect commented below.

Matt Walmsley, EMEA Director at Vectra Networks:

“Google’s extremely large customer base makes it highly attractive to cyber criminals, but the same can happen to organisations of any size. No company wants to be at the end of a data breach. But what this case has demonstrated, is that it’s not a case of ‘if’ but ‘when’.

“Security is a strategic issue. Businesses that lack transparency and willingness to address security matters in an honest and open way will see a significant impact on the bottom line, and damage their market value and reputation. In this latest attack, Google has acted quickly to report and shut down the breach and release a statement to inform the public. In doing so, it has managed to preserve its reputation and shown itself to be transparent and in control of the situation.

“When the EU general data protection regulation (GDPR) comes into force in May 2018, reporting breaches, will be imperative. Companies that fail to put the appropriate security controls in place and notify authorities will face incremental fines of up to four per cent of the global annual revenue for non-compliance.”

Jason Kerner, Senior Developer for phishd at MWR InfoSecurity:

“The newest Google Docs link that is being reported as phishing is a deviation away from the more traditional email phishing attacks, in that this attack is linking a third party application to users’ Google accounts. Once this application is linked to a user’s account it then has access to all of their contacts and therefore gains a list of new targets.

Accessing users’ contacts is something that has been seen with Google attacks previously and appears to be a favoured approach by attackers at present. Quite often these attacks will be the first phase of a more complex and targeted attack by utilising the information gained.

With web-based email clients offering more functionality to developers through ‘app’ integration, essentially a set of APIs allowing additional functionality, attackers are exploiting this functionality. It would almost seem that an app’s functionality should be vetted before being made available to the general user base, with its functionality and more importantly, its permissions being confirmed. More fine tuning of permissions in how they are presented to users and what this means to them, combined with education at the right level may reduce the spread of such an attack in the future. Facebook’s permission system, as well as the Android operating system, have both adjusted their approach regarding what apps are allowed to do, what not to do and what that means to users.

We expect these types of attacks to become more prevalent in the future as there is such a mass of information that can be gained and therefore exploited from conducting them.”

Joe Ferrara, CEO atWombat Security:

“This recent Google Doc phishing attack shows that hackers are continuing to use phishing to steal passwords and gain entry to organizations’ systems. While many noticed this was a malicious email, it is easy to fall victim to. This email appears to come from someone you know and directs you to a Google domain – highlighting the increased sophistication of phishing attacks and the swift damage they can cause.

The best way for organizations to protect themselves is to continually train end users on how to spot suspicious emails and keep them updated on new attack techniques. Humans will continue to make mistakes when it comes to phishing. But it is possible for organizations to increase awareness and educate end users to make better decisions, fewer mistakes and alert the appropriate department about questionable emails so info security teams can become more proactive.”

Tyler Reguly, Manager, Security Research & Development at Tripwire:

“Someone created a malicious app in the by the name of Google Docs. While it had an official sounding name, it was far from it.  Since the awareness of phishing campaigns has been rising over the years, criminals have to increase their tactics to levels such as spoofing official apps such as Google Docs.  Not only does this have a casual appearance of being legitimate, by being part of the official marketplace the link in the email went back directly to legitimate Google servers.  For those that are trained to validate the link before clicking on it, this passes two of the common techniques the majority of internet users are trained to not click on every link they come across (does it come from someone you trust and validate the link is going to a trusted source)..

“Once you click on the link, the application will ask for permissions to your email account. If granted, it will begin to use your account to send out further spam emails. At this time, there does not appear to be anything malicious in the sense of stealing sensitive data, however having your account compromised in this manner can still make you feel violated. If anyone clicked through and granted permissions, it is a simple process to remove the access. Navigate to https://myaccounts.google.com/permissions and remove the permissions for the “Google Docs” application.

“One important thing to note. Within an hour of the initial report being posted to Reddit, Google had put a fix in place to mitigate the threat.”

Brian Laing, VP at Lastline:

“Phishing attacks continue to plague businesses as it takes just one employee to possibly give hackers access to an entire network. While this latest attack is done well, it still is a relatively simple phishing attack, and should serve as a reminder to businesses that, despite all of the advanced malware and sophisticated attacks, criminals still sometimes use old schemes. Employees should be reminded to always be on their guard and look closely before entering credentials, clicking on links, or responding to suspicious emails. Should, or rather, when an employee falls victim to phishing, criminals are capable of using whatever is initially compromised, such as credentials, to eventually gain access to a system, or a network, and install malware to further the attack. Accordingly, it is imperative that businesses adopt advanced malware protection to quickly identify and mitigate sophisticated evasive malware in the unfortunate, but all too likely, event that an employee lets down their guard.”

Professor Richard Benham, Security Advisor at Online Service OwlDetect:

“For a corporation recently crowned as the largest company in the world, Google Docs’ phishing email is a cause for concern. The attack affected “fewer than 0.1%”, but with billions of Gmail users worldwide, this is one of the latest and largest phishing scams we’ve seen this year.

“It’s natural for you to feel some unease if you regularly use Google Docs or own a Gmail account. If you’ve accidentally opened this fake document either yesterday or today, there are simple actions you can take to ease this situation and regain control.

“Firstly, log into your Google account’s permissions page and remove all the access privileges from the Google Docs’ account that conducted the phishing scam. If you don’t recognise any active applications, it’s best precaution to remove it. You can always reactivate it later if you realise you needed the application. Secondly, you should reset your password and ensure you’re using Google’s official website and not logging into a fake site. Trustworthy sites can be identified by a green padlock in the address bar, and often it says “Secure”. Thirdly, change any passwords which might be affected and use a strong alphanumeric code that includes numbers, hashtags and punctuation.

“Lastly, if you’re still finding suspicious activity, consider using services like OwlDetect which can monitor the web and alert you if any of your personal information is leaked.”