A Look Back on the Google Phishing Attack

A massive and unusually sophisticated phishing campaign took place a few weeks ago targeting users of Google’s Gmail service. I wanted to look back and provide some thoughts on the attack and provide some tips so you can be prepared for the next attack.

The attack began around 4 pm on May 3rd as Gmail users received an email with an invite to a Google Doc that appeared to be from a person they would know. Attempting to access the Doc would direct the user to authorize a fake Google app that was hosted on an actual Google page. Once the app was authorized, the attacker would then draw from the user’s contacts to send the offending email to even more people.

Pretending to be a Google application, this phishing attack used the OAuth authentication interface, which is designed to allow users to log in without using a password. By abusing OAuth in this way the attacker was able to present a legitimate Google dialogue box requesting authorization. Once authorized, “Google Docs” could read all of your email and contacts and then self-propagated by sending more emails to the people in the contacts list.

Google acted quickly by disabling the application, deleting the developers’ account and marking the emails containing the link as Spam. At this time it is still unknown who started this attack or why.

Making sure that your company and its employees are safe on the internet is always a difficult task, especially when phishing attacks are becoming more sophisticated and are becoming near indistinguishable from legitimate emails. Training users, staying patched and deploying managed solutions for your email, workstations and more, are just some of the ways to help avoid and mitigate risks your organization is exposed to on the internet. Contacting Thrive today may be the step your organization needs to move forward with their technology.

Here are a few things to remember:

1. Always look at the permissions that an application is requesting when installing or authorizing an app. This particular application wanted full access to email and contacts.
2. Always hover over links and verify the destination when presented with an unknown link. Although this would not have helped in the above attack, this will still go a long way in making sure that you are safe.
3. Do not open attachments that you are not expecting. If you receive an email like this from a friend, reach out to them to make sure it’s real first – many affected users are not aware they send these malicious emails out.
4. Take a look at the applications that are already authorized. This applies to your mobile phone, Google account, Facebook account and many other places. It is a good idea to periodically check your security settings.
   To view authorized apps on Google go here – https://myaccount.google.com/permissions

For more advice and help to better prepare your business and employees contact Thrive today!