3 Things We Can All Learn from the Google Docs Phishing Scam
It was hard to miss the news about the Google Docs phishing scam last week. A hacker was able to gain full access to over a million Gmail accounts in under an hour without even needing the victims’ credentials. All they had to do was create a fake program they conveniently named “Google Docs”, send out an email to some people claiming they wanted to share a document with them, and hope the user clicked “Allow” to grant their malicious app access to their email and contacts. That’s either extremely impressive or extremely frightening, depending on how you look at it.
This was a relatively new type of attack known as “OAuth Phishing”, and many security experts agree this is the next big thing. OAuth is short for Open Authentication, and it’s the technology that allows apps to obtain access to online accounts without needing the user’s password once they have authorized it. For example, Facebook games uses OAuth to post statuses from other apps on your behalf.
A malicious application gaining access to your account via OAuth is extremely dangerous because it will have access to your account even if you change the password. The app will continue to have access to your account until you specifically revoke access to that app. Because the issue with Google Docs last week was so widespread, Google became aware of it quickly and had completely revoked the app’s access within a couple hours and there appears to have been no real damage caused.
However, this incident provides us all with some important lessons beyond current, well known precautions:
- Don’t blindly click a link or open an attachment in an email—even if it’s from someone you know.
- Were you expecting this person to send you a link to a document right now? If not, it never hurts to call them to confirm. Unfortunately, replying to the email asking them isn’t always foolproof either—if the hacker has control of the mailbox, they can reply back saying “Yes, I sent you that link, it’s safe to click on.” We have seen this happen in the real world.
- If an application requests access to anything, stop and question why.
- Hackers are now using the same legitimate applications their victims use to lull them into a false sense of security and trick them. In this case, the only fake thing was the app claiming to be “Google Drive”. Everything beyond that were actual Google logon screens. The victims essentially told Google “Yes, please do allow this malicious application full access to my email and contacts”. It’s easy to get complacent and approve requests out of habit. Take a moment to really think about what the application is requesting.
- If asked to login to something, stop and question why.
- Often times, phishing emails will present you with a fake login screen. It may look like Gmail or your bank, but it could be a fake site setup by the hacker to trick you into giving them your credentials. In this case, you were actually logging into Google, but everyone can now see how this can be equally as damaging.
Shockingly, 91% of successful data breaches start with a spear-phishing email. Adding OAuth Phishing to the mix will unfortunately make it even easier to trick users, so it’s more important than ever to remain vigilant. It’s best to keep these additional precautions in mind. If you are ever unsure, please ask SUCCESS or your IT department to review a message—much better to be safe than sorry.