Nmedia - Fotolia
Google Docs phishing attack grants attacker full Gmail access
A Google Docs phishing attack abused OAuth to give malicious actors full access to a victim's Gmail account and contacts, but Google claims to have blocked the attacks.
It took Google about one hour to acknowledge and reportedly block a Google Docs phishing scheme that was sweeping the web on Wednesday.
The Google Docs phishing attacks were first described by user JakeSteam on Reddit. The victim would receive an email that appeared to be a Google Doc that someone shared; following the link would send the user to the Google account selection screen and then a screen asking to grant the malicious "Google Docs" permission to access Gmail messages and contacts.
All of this looked like the real Google login process, according to those who received the email, because the third-party app used the Google Drive icon and listed itself under the name "Google Docs," however clicking on the "Google Docs" name that is asking for access permissions reveals the email address of the attacker, not an official Google service.
According to JakeSteam, this Google Docs phishing attack bypasses two-factor authentication and spreads by sending itself to everyone in the victim's contact list, including addresses the user had emailed but hadn't fully saved to their contacts.
Jaime Blasco, chief scientist at AlienVault, said it looks as if the attack is using a "fake application to abuse OAuth."
"Once you give permissions, the attacker will have access to your emails. This is similar to what APT28 -- the group behind the DNC hack, France election groups attacks -- was using a while back," Blasco told SearchSecurity via email. "I don't believe they are behind this though because this is way too widespread. Many people and organizations have received similar attempts so this is probably something massive and less targeted."
Within an hour of the original reddit post about the Google Docs phishing attack, a Googler had replied to JakeSteam saying the issue was being escalated, and was soon updated with an official statement by Google:
"We have taken action to protect users against an email impersonating Google Docs and have disabled offending accounts. We've removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail."
Mitigating the risk of the Google Docs phishing scheme
Mounir Hahad, senior director at Cyphort Labs, was unsure if this would be an effective response by Google.
"This is somewhat of a game changer in the sense that there is little to point to as malicious. Any app out there can use Google's API for authentication. For Google to respond to this kind of phishing attack is like a game of whack-a-mole," Hahad told SearchSecurity. "The widespread attacks will be relatively easy to identify and to respond to, but the more targeted ones will fly under the radar for a while."
Travis Smith, senior security research engineer at Tripwire, said the Google Docs phishing scheme protections put in place "will most likely prevent this in the future," but attackers will find ways to trick users by spoofing apps in similar ways.
Joe Ferrarapresident and CEO, Wombat Security Technologies
"These may not be as successful in terms of a click-rate in this campaign, but an attacker only needs to be right once to gain a foothold. It's surprising that an attack, which was as successful as this one, did not have a more malicious intent behind it. If the author behind this campaign was truly evil, this would have been a much more serious problem," Smith told SearchSecurity. "Google should do what any security practitioner should do when defending against attacks: Think like a hacker. Trying to put on the black hat and think how you would bypass your own protections will help create a more robust application when compared to those who are entirely reactionary."
Joe Ferrara, president and CEO of Wombat Security Technologies, noted that educating users is still the best way to combat phishing attacks.
"This email appears to come from someone you know and directs you to a Google domain -- highlighting the increased sophistication of phishing attacks and the swift damage they can cause. The best way for organizations to protect themselves is to continually train end users on how to spot suspicious emails and keep them updated on new attack techniques," Ferrara told SearchSecurity. "Humans will continue to make mistakes when it comes to phishing. But it is possible for organizations to increase awareness and educate end users to make better decisions, fewer mistakes and alert the appropriate department about questionable emails so infosec teams can become more proactive."