Gmail users around the world have been hit with a sophisticated email scam using a malicious Google Docs app to hijack their inboxes and spam all their contacts.
The attack is more likely to have worked because it arrived from someone known to the user, and the link in question is said to have directed back to legitimate Google servers, rather than a password-harvesting page; passing two tried-and-tested methods of spotting phishing attempts.
The email link urges recipients to click through to read a document the ‘sender’ has shared.
Clicking through then takes them to an official Google page listing all the user’s accounts, which crucially asks to give a ‘Google Docs’ app permission to access their Gmail account.
That Google Docs app is a fake: Google Docs has account access by default and does not need to request extra permissions.
However, experts agreed it’s a relatively sophisticated attack.
Security firm Agari claimed it had seen over 3000 organizations compromised in just a few hours, sending 23,000+ emails to its customers.
“This attack is different and scary because of its ability to evade common defenses and leverage Google APIs to trick users into granting access,” argued the firm’s field CTO, John Wilson.
“The attack didn’t directly try to steal usernames and passwords like a typical phishing scam but rather tricked users into allowing complete access to their email account. Typically, users have been trained to change their password when they think they have been a victim of a phishing scam. In this case, that would not solve the problem.”
Wilson claimed this could be a new breed of attack.
“Next time, the attacker might be smarter and only mine the information while propagating slowly enough not to get caught the same day. Other email systems such as Office 365 have similar app plugin systems that could be used to mount similar attacks on larger enterprise organizations,” he added.
“I also believe we will see an increase in targeting to make attacks more credible; whether using account takeover (ATO), social networks, or just publicly available information. As a result, more emails will look ‘right’ to the victim and fewer malicious emails will be reported. This will hamper traditional blacklisting-based methods, which depend on reporting.”
The good news is that Google fixed the issue very swiftly, releasing the following update on its Twitter feed:
“We have taken action to protect users against an email impersonating Google Docs and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”
Joe Ferrara, CEO of Wombat Security, argued that the best way of preventing an increasingly sophisticated breed of phishing attacks is by keeping training programs continuously updated.
“Humans will continue to make mistakes when it comes to phishing,” he said. “But it is possible for organizations to increase awareness and educate end users to make better decisions, fewer mistakes and alert the appropriate department about questionable emails so info security teams can become more proactive.”
Phishing was present in 21% of security incidents last year, an 8% increase on the previous year, according to Verizon.