Google Docs attack opens new can of worms for phishing scams
Thursday, May 04, 2017
It's no secret that cyberattacks are on the rise, and criminals have continued to target businesses — often with the goal of extorting money in exchange for the return of stolen information.
These attacks reached a whole new level of sophistication with a massive Google Docs phishing scam that spread like wildfire Wednesday. The attack affected only 0.1 percent of Gmail accounts, but with 1 billion active monthly users on the service, that's still at least 1 million people.
The good news is that Google quickly discovered and shut down this targeted attack. The bad news is that this may have opened a whole new can of worms for these "phish."
"Google shut down the accounts used for the attack," said cybersecurity expert Joseph Steinber, CEO of SecureMySocial. "But hackers could easily create similar-looking phishing emails that link to malware installation sites outside of Google."
Most phishing scams try to trick you into revealing personal information like your password or login info. What makes this Google Docs scam different is that it used a sneak attack through Open Authorization (OAuth).
You’re probably not familiar with OAuth, but it’s what allows apps and programs to communicate with each other. This is what allows your Instagram posts to appear on Facebook without having to log into Facebook every time you do so.
According to Cisco Cloudlock, the number of apps that use OAuth "has exploded from 5,500 three years ago to more than 276,000 applications this year." That's a scary thought given that OAuth attacks have also been suspected in election interference in both the U.S. and France.
So how did Wednesday's attack work?
If you've ever worked on a group project in your office, chances are you’ve probably used a Google Doc or Sheet. These cloud-based programs allow users to share and edit documents without having to ship them back and forth via email.
Typically, one person starts the document, then invites others to join for viewing and/or editing. Google will then send an email with a link to those who were invited.
The attackers exploited a flaw in OAuth by creating a fake Google Docs service. Potential victims received an email that appeared to come from someone they knew and contained a link to view a Google Doc.
Once victims clicked on the link, it copied itself and sent similar emails to everyone on that person's contacts list. Without deciphering the victims’ passwords, the attackers were able to take over their Google accounts through OAuth.
The scariest part about this attack is that multifactor authentication won’t catch it, and changing passwords can't stop it. The power lies with you.
As I wrote last year, cybertheft often starts with tricking employees. That means people are the first line of defense in these scams.
"If you receive an unexpected attachment or link, check with the sender before clicking," Steinberg said. "Checking the link, sender, recipient, content, etc., can help — in many cases you'll spot phishing emails like that — but it is always better to confirm with the sender as well since some phishing emails look real."
Companies should also educate their employees about the different types of scams out there and even use their IT departments to simulate attacks within the office to discover vulnerabilities.
Bottom line: If it looks fishy, it might be phishing.
- Breaking down barriers to make career and technical pathways accessible for everyone
- Millions of high school students set for success: Celebrating Career and Technical Education Month
- You can’t be what you can’t see
- To fight crime, engage kids in quality after-school programs
- How can educators promote self-direction, independence during remote learning?
- Will kids affected by the digital divide be ready for next school year?
- Study: Researchers search for better ways to nix inventory errors
- Digital natives are more likely, more eager to go back to the office
- Have Zoom, will design
- Job insecurity and economic uncertainty: How leaders can ease the emotional toll on employees
- Safety practices for the construction site during the COVID-19 pandemic
- 7 key remote tech tools all real estate pros need right now
- It’s time for a reset — we need to change the game of business
See your work in future editions
Your content, Your Expertise,
Your Industry Needs YOUR Expert Voice & We've got the platform you needFind Out How