Experts reacted to a Google Docs phishing attack that hijacked Gmail accounts and spammed contact lists. Google shut down the attack but not before it affected an estimated one million users.
Google said in a statement it has disabled the aberrant accounts, which represented less than 0.1% of about one billion Gmail users. “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again.”
The phishing attack’s significance may lie in not how it spread, but in how it didn’t use malware or fake websites to dupe users into giving up passwords, and in fact, didn’t even need victims to type in their passwords.
In the Google Docs scheme, the hacker fashioned a bogus variety of Google Docs and requested consent to read, write and access the victim’s emails. The phishing scam relied on OAuth, which stands for Open Authorization, an open standard for authentication and authorization on the Internet. OAuth doesn’t work through passwords, it works through permission tokens.
Yonathan Klijnsma threat researcher at San Francisco-based threat management firm RiskIQ explained “Traditional phishing involves luring victims to fake login pages and obtaining their credentials. This new method involves social engineering the victim to authorize a fake OAuth app to use their account information. It is illegitimate usage of the service, although the functionality they are using for OAuth is legit.”
Klijnsma warned, “As with anything new, this probably will cause a spike in attacks like these – although they only work for services that do Oath. Bank phishing, for example, will not be affected by this.”
The attack does present some security difficulties. “It’s probably more difficult to explain to victims. ‘Yeah, you’re going to a legit Google page, yes the document you are viewing is legit, no the authorization for this connecting of your account is not legit,’” Klijnsma added.
“The key to any social engineering attack is how well the attacker hides their malicious intent,” Brian Minick, CEO for Cincinnati-based cybersecurity firm Morphick, said. “In this case, the attacker did a great job hiding their intent by very closely associating themselves with Google.” He added the email was sent from the Gmail account of someone they knew, the URL went to Google Docs, etc.
“Unlike a lot of other attacks that utilize similar, but not correct URL’s (ur1 instead of url), this attack utilized actual Google services.” From a victim perspective, the only tip off was when asked to allow Google access to contacts and calendar. “For Gmail users, Google is already managing these things and therefore already has access.”
Minick suggested this attack highlights the challenges user-awareness based security programs face. “It is one thing to train a user to look for emails from people they do not know or emails with misspelled words. It is another to successfully train them to identify when anything looks strange. Based on this, attacks of this nature will continue to succeed.”
Morphick VP of Services and Incident Response Brian Klenke, explained, “This attack was interesting for a couple reasons. The first, it was so widespread and caused such noticeable noise and impact. Many emails rely on social engineering attempts, but it’s not often that wormable code will be this successful. By using the same language and looking familiar to a legit Google service the attacker was able to deceive the user into allowing a third party application to take control of the victims email.”
Around the world, people reported receiving multiple copies of the email including about 2,500 Minnesota employees. It reportedly, cost the state $90,000, mainly the result of employees dealing with the attack rather than carrying out their normal jobs.
