Google Docs attack opens new can of worms for phishing scams
Thursday, May 04, 2017
It's no secret that cyberattacks are on the rise, and criminals have continued to target businesses — often with the goal of extorting money in exchange for the return of stolen information.
These attacks reached a whole new level of sophistication with a massive Google Docs phishing scam that spread like wildfire Wednesday. The attack affected only 0.1 percent of Gmail accounts, but with 1 billion active monthly users on the service, that's still at least 1 million people.
The good news is that Google quickly discovered and shut down this targeted attack. The bad news is that this may have opened a whole new can of worms for these "phish."
"Google shut down the accounts used for the attack," said cybersecurity expert Joseph Steinber, CEO of SecureMySocial. "But hackers could easily create similar-looking phishing emails that link to malware installation sites outside of Google."
Most phishing scams try to trick you into revealing personal information like your password or login info. What makes this Google Docs scam different is that it used a sneak attack through Open Authorization (OAuth).
You’re probably not familiar with OAuth, but it’s what allows apps and programs to communicate with each other. This is what allows your Instagram posts to appear on Facebook without having to log into Facebook every time you do so.
According to Cisco Cloudlock, the number of apps that use OAuth "has exploded from 5,500 three years ago to more than 276,000 applications this year." That's a scary thought given that OAuth attacks have also been suspected in election interference in both the U.S. and France.
So how did Wednesday's attack work?
If you've ever worked on a group project in your office, chances are you’ve probably used a Google Doc or Sheet. These cloud-based programs allow users to share and edit documents without having to ship them back and forth via email.
Typically, one person starts the document, then invites others to join for viewing and/or editing. Google will then send an email with a link to those who were invited.
The attackers exploited a flaw in OAuth by creating a fake Google Docs service. Potential victims received an email that appeared to come from someone they knew and contained a link to view a Google Doc.
Once victims clicked on the link, it copied itself and sent similar emails to everyone on that person's contacts list. Without deciphering the victims’ passwords, the attackers were able to take over their Google accounts through OAuth.
The scariest part about this attack is that multifactor authentication won’t catch it, and changing passwords can't stop it. The power lies with you.
As I wrote last year, cybertheft often starts with tricking employees. That means people are the first line of defense in these scams.
"If you receive an unexpected attachment or link, check with the sender before clicking," Steinberg said. "Checking the link, sender, recipient, content, etc., can help — in many cases you'll spot phishing emails like that — but it is always better to confirm with the sender as well since some phishing emails look real."
Companies should also educate their employees about the different types of scams out there and even use their IT departments to simulate attacks within the office to discover vulnerabilities.
Bottom line: If it looks fishy, it might be phishing.
- Back to the future with Ford bioplastics
- Can solar energy compete with fossil fuels?
- Impressive new smartphone apps in health and medicine
- Just how serious is the tech world about diversity?
- Privacy tips to help teachers avoid a social media scandal
- Apple attempts mobile health dominance with HealthKit app
- 3-D printing is revolutionizing construction and design fields
- Experiment reveals the ugly side of open-source journal industry
- Take advantage of Facebook’s Instant Articles
- How to retro-fit a post-Soviet city
- Pharmacists and the $1.3 billion Medicare fraud case
- Should there be a new legal framework for the cloud?
- Rise of campus-grown fresh produce
See your work in future editions
Your content, Your Expertise,
Your Industry Needs YOUR Expert Voice & We've got the platform you needFind Out How