Persevering for Phishing: Google Doc Phishing Scandal and the Future of Phishing Schemes

On May 3rd 2017, 0.1% of  Google’s Gmail users were  victimized by a fake gmail phishing scam that stole OAUTH tokens (Open Authorization tokens that bypass the need for a password) and gave spammers access to the recipients emails, logins, contacts and online documents via a very convincing fake document sharing attachment.

gdocs_phishing
The Fake Access Granting Screen (By enrolling in gmail and Google applications, one has typically already given and been granted access to docs and the like)

Some flags that determined the emails were fake included the fact that the email asked for a gmail address, the “TO” address was addressed to a Mailator account and the developer of the document was addressed to Eugene Pupov, a student in the UK. Furthermore, spam domains such impersonating google docs, cloud, and the like where in use and taken down within 15 minutes of the spam attack.

Google itself took the attacks quite seriously going on to facilitate a live Q & A regarding the scheme, its use of Open Authorization tokens, as well as offering a statement of :

We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.

What Next for Phishing?

The recent Gmail phishing scandal impacted 0.1% of the 1 billion Gmail accounts that are active on Google’s service. The scam spread from journalists, to government users, to businesses, to the every man much like the “FWD:FWD” emails of the past and the infamous “Nigerian Prince” mail scams. Phishing overall then is not a new technique. That said, the recent DNC email leaks and the French Election email leaks were a byproduct of phishing plans being successful. The scary fact of the matter however stems from users often granting the perpetrator access of their own volition via their inability to distinguish what’s real and what’s fake; and as seen with the gmail scheme the design of the scheme only begins to look all too normal to the average user; let alone a user who is unfamiliar with the way Google and the like configures their account.

Heck, Minnesota alone has lost an estimated 90,000USD after 2500 government employees received and opened the emails and Facebook and Google itself has suffered a recent 1 million USD loss  due to falling to a phishing scheme targeted at their businesses. Thus, with an easy to automate system, and the ability to cast a huge net at potential victims phishing will only continue to thrive and become more prevalent in the online-equipped world.

What To Do?

In short, Education to the common user will payoff the most in the long run. The more the user is able to verify and distinguish a legitimate email from a fake email, the harder it will be for themselves to fall for a phishing link and prevent damages to their account, reputation or company’s data and reputation. Alternatively, companies such as Google, Facebook, Apple, Paypal, etc. also share a burden of educating their clients and training their work force with regards to proper phishing detection and application/architecture security to ensure phishers and crackers do not get access or the capability to implement a phishing cheme or gain elevated access to their personal or client data.

 

Links:

Detailed Threatpost Overview

Knowing Phishing and How to Avoid It

Gizmodo’s Take on the Google Scandal

More details on Google OAUTH Flaws

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s