[Updated] Google phishing attack nets one million accounts with crafty spoof

News by Tom Reeve

A sophisticated phishing attack against one million of its users has been stopped, and Google says that swift action prevented it from becoming much worse.

A hacker has been raining on Google's cloud, and security experts are warning users to be wary of Google docs received from friends and colleagues following a massive phishing attack on the internet giant.

The news follows just days after it was revealed that Google, along with Facebook, had been duped by a massive whaling attack.

Google released a statement on Twitter, saying it has “taken action to protect users against an email impersonating Google Docs & have disabled offending accounts. We've removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again”.

However, cyber-security experts were quick to point out that the fix is only for this particular iteration of the attack and that now the attack vector is known, other cyber-criminals may be rushing to create copycat attacks.

The attack begins with the victim receiving an email from a known contact containing a link to a Google doc. Clicking on the link opens a genuine Google doc which then opens a popup, from Google, requesting access to the victim's email account. If they authorise it, the malware then rips through the victim's contacts list and sends them all a copy of the original phishing email from the victim's account.

The scam has been described by many cyber-security professionals as being almost undetectable.

According to Threatpost, the Kaspersky Lab security blog, when a victim clicks on the link in the phishing email to the Google doc, they are directed to Google's OAuth2 service which is where they are prompted with a message: “Google Docs would like to: Read, send, delete, and manage your email; Manage your contacts.”

Threatpost said, “The attempt to steal OAuth tokens is a departure from traditional phishing attacks that target passwords primarily.”

Anyone who fell for the attack can revoke the permissions by accessing their account settings at myaccount.google.com.

Eric Hodge, director of consulting at Cyberscout, told SC Media UK that this attack reminded him of another “highly effective” phishing scam against Google Gmail users in January.

Hodge says that this time the attackers went after a “systemic weakness” in Google's OAuth process which “are subject to fakery and therefore phishing attacks”.

For Hodge, the question is whether Google will address the systemic issue or just try to plug the gaps identified by this attack? Based on what he's seen so far, he's not optimistic.

“I am concerned about their response. Their response was to lock down the account and treat the symptoms. In my experience, what we have to do is try to find the cause so we  treat the disease not the symptom. They aren't solving the underlying issues.”

He suggested that a systemic solution might involve using certificate servers for individuals. “In the old days, we called these X.509 directories, and now they are SSL or TLS certificate servers. They are third party resources that would make sure that the request you are getting is really coming from who you think it is. Biometrics could work, although it would be a massive undertaking to get a fingerprint or retinal scan associated with every email.”

Ryan Kalember, SVP cyber security strategy at Proofpoint, said, “The recent Google Docs email phishing attack leveraged some techniques that had previously been more associated with state-sponsored threat actors. That said, it was not necessarily larger in scale than any of the regular phishing campaigns that target Google, Microsoft, and other credentials.”

He added: “Based on the success of the initial attack, we would expect copycats to try and snare victims with similar campaigns.”

Jason Kerner, senior developer for phishd at MWR InfoSecurity, said, “With web-based email clients offering more functionality to developers through ‘app' integration, essentially a set of APIs allowing additional functionality, attackers are exploiting this functionality.

“It would almost seem that an app's functionality should be vetted before being made available to the general user base, with its functionality and more importantly, its permissions being confirmed. More fine tuning of permissions in how they are presented to users and what this means to them, combined with education at the right level may reduce the spread of such an attack in the future.”

He added: “Facebook's permission system, as well as the Android operating system, have both adjusted their approach regarding what apps are allowed to do, what not to do and what that means to users. We expect these types of attacks to become more prevalent in the future as there is such a mass of information that can be gained and therefore exploited from conducting them.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews