Zelijka Zorz | May 08, 2017

Spectacular phishing attack pushes Google to improve defenses

The most recent Google-themed phishing attack shouldn’t have come as a surprise, but it did – and has affected around a million Gmail users.

As Google succinctly explained it: “Victims of this attack received an email that appeared to be an invite to a Google Doc from one of their contacts. When users clicked the link in the attacker’s email, it directed them to the attacker’s application, which requested access to the user’s account under the false pretense of gaining access to the Google Doc. If the user authorized access to the application (through a mechanism called OAuth), it used the user’s contact list to send the same message to more people.”

The attack was made possible by poor design choices regarding Google’s OAuth interface. The only information immediately shown to the users is the name and logo of the app asking for permission, and nowhere is it made crystal clear that this is a third-party app, and not one by Google.

In this last attack, the malicious app was named “Google Docs”, and the icon of Google Drive – enough to fool many into believing that it’s a legitimate Google app.

Researchers have been warning about the risk associated with this feature as far back as October 2011, and then again in September 2014.

But Google obviously didn’t consider the risk to be too grave.

What happens now?

“With web-based email clients offering more functionality to developers through ‘app’ integration, essentially a set of APIs allowing additional functionality, attackers are exploiting this functionality,” noted Jason Kerner, Senior Developer on Phishd at MWR InfoSecurity.

“It would almost seem that an app’s functionality should be vetted before being made available to the general user base, with its functionality and more importantly, its permissions being confirmed. More fine tuning of permissions in how they are presented to users and what this means to them, combined with education at the right level may reduce the spread of such an attack in the future.”

He says that he expects these types of attacks to become more prevalent in the future, and praised Facebook’s and Android’s permission system:

“Facebook’s permission system, as well as the Android operating system, have both adjusted their approach regarding what apps are allowed to do, what not to do and what that means to users,” he pointed out.

Now, in the wake of this latest spectacular attack, Google has vowed to improve protections as well, but did not go into too many details.

“We’re taking multiple steps to combat this type of attack in the future, including updating our policies and enforcement on OAuth applications, updating our anti-spam systems to help prevent campaigns like this one, and augmenting monitoring of suspicious third-party apps that request information from our users,” the company noted on Friday.

It now remains to be seen how efficient these changes will be.

How can users protect themselves?

“The recent Google Doc phishing attack shows these attacks are becoming more sophisticated, harder to spot and can cause damage very quickly. The best way for organizations to protect themselves is to continually train end users on how to spot suspicious emails and keep them updated on new attack techniques. If organizations aren’t taking the steps to help employees identify suspicious emails, they are directly putting their personal information and systems at risk,” says Joe Ferrara, CEO of Wombat Security.

“There are three primary things end users should keep in mind: pause before clicking on links or interacting with a message; verify emails with that appear to come from a trustworthy source but look suspicious by reaching out separately to the sender; and report any suspicious messages to your IT department to help identify problems early.”

Those first two pieces of advice should also be implemented by users in their private lives.