If you’ve received an email from a legitimate-looking email address in the past couple of days with a link to view a Google Docs file, don’t click the link. On Wednesday afternoon, several unsuspecting Gmail users discovered a seemingly innocuous email containing an invite to view a Google Docs file in their inbox. When the users clicked the link, they were taken to a real Google screen asking them to select one of their Google accounts, after which the user is taken to the familiar OAuth request page to grant access to the account. The malicious application then gained access to the users’ contacts and sent them the same email.
Skyhigh’s Cloud Security Labs has been actively working with our customers to monitor the impact of this threat and provide recommended remediation action. This attack is significant due to the widespread use of Google’s email service for enterprises. Gmail is the third most popular collaboration cloud service used at enterprises. Threats that target Google’s services can potentially expose a significant amount of sensitive corporate data.
Of equal significance is the general lack of visibility enterprises have into cloud-to-cloud connections between platforms that store enterprise data such as Google Docs, Office 365, and Salesforce and third-party apps that connect to these platforms. The nature of these cloud-native ecosystems presents new security risks to enterprises as their existing network-centric security solutions do not have visibility into this activity to protect against threats.
Approximately a million Google users were impacted by the attack before Google shut down the application and took the appropriate remediation actions. In response to the attack, Google released the following statement:
We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.
Google followed that with:
We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.
The phishing scam was simple in execution but sophisticated in design. The attackers managed to create an application called “Google Docs” that bypassed Google’s app vetting process. The email itself looked eerily similar to what a legitimate Google Docs invite email would look like, including the button design.
Phishing (or malware) Google Doc links that appear to come from people you may know are going around. DELETE THE EMAIL. DON'T CLICK. pic.twitter.com/fSZcS7ljhu
— Zeynep Tufekci (@zeynep) May 3, 2017
Clicking the button took users to an actual Google page that was served from Google’s servers. This was followed by another genuine Google OAuth permissions page. The attackers even used the official Google Docs logo to trick their victims. Vigilant Google users may have noticed that when clicking the down arrow next to the Google Docs name, they would see the developer information, which wasn’t Google but a random person.
What’s the fallout?
Google sprang to action within an hour, shutting down the OAuth request and automatically revoking the permissions of the fraudulent application across all user accounts. According to Google, the app only accessed a user’s contact emails to further spread out the phishing email, raising the question: what was the purpose of this attack?
Phishing attacks may come in many forms, but they usually have a goal. In most cases, the attacker attempts to gain access to the login credentials of users, which can be sold on the Darknet for a monetary gain. In other cases, (DNC hack) the underlying goal may be to inflict political damage.
If Google is accurate in its assessment, then this attack seems like an outlier in that there isn’t a clear purpose behind the attack. While the attackers now have millions of email addresses, given the prevalence of exposed email addresses, there may not be a lot of value in them alone. However, if the attack was targeted at specific individuals (with the rest of the victims becoming collateral damage), as some have suggested, then this could have wide-reaching ramifications.
What can you do to protect yourself?
While Google has already removed the malicious application from their users’ accounts, there are a few steps organizations can take to help prevent the damage from similar attacks in the future:
- Adopt an “assume breach” mentality where you assume a breach has already occurred, and you’re just not aware of it yet. This ensures that your organization will remain vigilant.
- Ensure you have an incident response plan that can be mobilized when a breach is discovered.
- Gain visibility into the total number of users using personal, cloud-based shadow applications, such as Gmail.
- Augment anti-phishing training: Using OAuth to gain access to a user account is not a common tactic when it comes to phishing attacks, but it may become more prevalent in the future. Now is a good time to include OAuth training as part of any IT security training your employees are put through. This means educating employees on the kind of information they might accidently be sharing about their accounts with 3rd party applications when they give those apps unnecessarily extensive access.
- When giving access permission to a third-party application within Google, ensure that the application was developed by a known and trusted party.
- Enforce a standard policy that restricts the number and types of applications that users can extend access permissions to within their corporate Google accounts.
- When using email monitoring tools, monitor OAuth requests being fulfilled by employees and executives.
- If not done so, turn on enterprise-wide multi-factor authentication.