On May 3rd 2017, 0.1% of Google’s Gmail users were victimized by a fake gmail phishing scam that stole OAUTH tokens (Open Authorization tokens that bypass the need for a password) and gave spammers access to the recipients emails, logins, contacts and online documents via a very convincing fake document sharing attachment.
Some flags that determined the emails were fake included the fact that the email asked for a gmail address, the “TO” address was addressed to a Mailator account and the developer of the document was addressed to Eugene Pupov, a student in the UK. Furthermore, spam domains such impersonating google docs, cloud, and the like where in use and taken down within 15 minutes of the spam attack.
Google itself took the attacks quite seriously going on to facilitate a live Q & A regarding the scheme, its use of Open Authorization tokens, as well as offering a statement of :
We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.
What Next for Phishing?
The recent Gmail phishing scandal impacted 0.1% of the 1 billion Gmail accounts that are active on Google’s service. The scam spread from journalists, to government users, to businesses, to the every man much like the “FWD:FWD” emails of the past and the infamous “Nigerian Prince” mail scams. Phishing overall then is not a new technique. That said, the recent DNC email leaks and the French Election email leaks were a byproduct of phishing plans being successful. The scary fact of the matter however stems from users often granting the perpetrator access of their own volition via their inability to distinguish what’s real and what’s fake; and as seen with the gmail scheme the design of the scheme only begins to look all too normal to the average user; let alone a user who is unfamiliar with the way Google and the like configures their account.
Heck, Minnesota alone has lost an estimated 90,000USD after 2500 government employees received and opened the emails and Facebook and Google itself has suffered a recent 1 million USD loss due to falling to a phishing scheme targeted at their businesses. Thus, with an easy to automate system, and the ability to cast a huge net at potential victims phishing will only continue to thrive and become more prevalent in the online-equipped world.
What To Do?
In short, Education to the common user will payoff the most in the long run. The more the user is able to verify and distinguish a legitimate email from a fake email, the harder it will be for themselves to fall for a phishing link and prevent damages to their account, reputation or company’s data and reputation. Alternatively, companies such as Google, Facebook, Apple, Paypal, etc. also share a burden of educating their clients and training their work force with regards to proper phishing detection and application/architecture security to ensure phishers and crackers do not get access or the capability to implement a phishing cheme or gain elevated access to their personal or client data.