48 Hours After the Google Phishing Scam, Don’t Let Your Guard Down
Several news outlets have reported on the Google Docs phishing scam, so we won’t rehash all the details here.
The short version is: On Wednesday, one million Gmail accounts were hit with a Google Docs phishing scam. The way the scam worked was the target user received an email, likely from someone they knew, asking them to collaborate on a Google Doc. If the user clicked through, they were prompted with a screen where the well-disguised, malicious application (cleverly named “Google Docs”) requested access to the user’s Gmail account. Upon hitting accept, access was granted, and the same phishing email was sent out to all of the targeted user’s contacts. Google released a statement saying the event was contained the same day and advising users who fell victim to the scam to visit g.co/SecurityCheckup and remove any unexpected apps. (If you want more information on the phishing scam, you can find some here, here, and here.)
Figure 1 – Fake Google Docs App
The effectiveness of the attack left organizations wondering what to do to help prevent a recurrence.
Recommendations for a stronger password or two-factor authentication are great for overall security, but since with this type of attack the targeted user was already logged in, these types of controls don’t offer real protection.
So, what’s a better way to protect against increasingly sophisticated phishing scams?
A Preventative Measure Against Phishing Attacks
This phishing scam was a reminder to all of us to remember the importance of cybersecurity awareness for employees. Here’s three action items for you to help prevent against this kind of attack in the future:
Teach Employees to Spot the Signs of a Phishing Attack.
- Tell your employees to look at the recipients field to make sure that there are no unexpected email addresses. For example, with the Google phishing scam, the recipient email address was a bogus address with a multi “hhh” string.
- Underline the importance of context. The obvious one here is if it’s not a sender you’re familiar with, be suspicious of the email. Similarly, if it’s not a subject you would expect to hear from the sender on, it should also prompt caution.
- Remind them to check for hidden signs that the website or application they are about to be directed to is not a legitimate website. In some instances, this can be as easy as hovering over the link to make sure that it goes to the official website. In the case of the Google Docs scam, if you clicked on the application name you were given information about the developer including their email, which was a personal Gmail account.
Build-in Periodic Access Reviews.
- Whether it’s asking your Director of IT to send out a weekly email or scheduling a recurring calendar alert, you should plan time for your employees to review what applications have access to your company’s data (or even an employee’s personal data). In the case of the Google phishing scam, this means going to your “My Account Page,” scrolling down to the Sign In & Security Section and checking which apps have access to your account. You could see how this could extend to good security habits like checking which mobile apps have access to your location on your iPhone.
- Relatedly, inform your employees to be cautious about granting access to applications to begin with. A good practice is to pause for 10 seconds before clicking through each prompt. This brief pause can encourage employees to actually read what the access the application requires. Instead of just quickly clicking through without understanding what permissions are being granted, the employee will have a chance to consider what privacy or security issues might be presented.
- To review all currently authorized Google Apps visit: https://myaccount.google.com/permissions
Encourage Reporting of Incidents and Suspicious Emails.
- Most importantly, create a culture where employees understand that reporting suspicious incidents is a prudent security behavior. Internally, reporting helps promote awareness within the organization and can prevent other employees from falling victim to the same scam. Externally, reporting helps alert other organizations in the same space and can also help resolve or contain the problem. For example, if you see another Google phishing scam, report it.
Implement A Continuous Security Monitoring Solution
- A continuous security monitoring solution will alert you to security vulnerabilities that may arise within your enterprise, such as leaked/circulating email and password credentials or outdated software. Compromised email: password combinations are useful tools that attackers leverage to launch phishing campaigns as well as access enterprise resources. Get a free instant SecurityScorecard report for your enterprise here.
Whether your company was affected by the Google phishing scam or not, remember that a mature cybersecurity program is one that doesn’t only react to these types of incidents, but one that prepares for the next one. Use this as an opportunity to improve your company’s security posture and to have a dialogue about the prevalence of phishing scams and the important role that employees play in a company’s ability to secure sensitive data.
The Malicious Google App
The code for the Google App used in this phishing attack is quite interesting. Its effectiveness seems to reside within the simplicity of the code and functions. The attackers are simply leveraging functionalities of app development combined with social engineering tactics in order to trick users into granting persistent access to their Gmail accounts.
SecurityScorecard analysts were able to extract the code for the Google App before the campaign was taken offline.
The full source code is available here: https://pastebin.com/LLFwwiFw