On May 3rd, news started to break that there was a new kind of phishing attack aimed at Google users via Gmail and Google Drive/Docs. I first saw a report on the Google Docs phishing attack in a post on r/Google. The author detailed (with screenshots) how attackers attempted to get control of his Google account.
The scary part of this is that it abused existing Google systems to gain access to the accounts of anyone who clicked their way through the “Allow” screens thinking they were about to get to a document sent by a friend or colleague. It even bypassed login verification and 2-Factor Authentication mechanisms that may have been in place to protect the account. It is a reminder that many attacks aren’t really “hacks” so much as social engineering where the attacker tricks the victim into giving them exactly what they want.
To Google’s credit, a Google employee saw the Reddit thread and pushed it to the right people. The exploit was fixed in less than 30 minutes from that point.
We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.
Google’s Official Statement
Sign of the Times
This attack, though short-lived, is an example of what is to come. As the world becomes more connected through cloud services, there are going to be new ways to exploit those connections. The process of sharing permissions to view your accounts, or use your privileges in some way is at the core of the way we use the internet in our multi-device era. The tech giants, like Google, will continue to find safer ways to provide service; however, it will always be up to individual users to protect themselves and their data.
Tips to Avoid Phishing Through Cloud Services
Common sense and a bit of technical knowledge go a long way. In this case, and in most phishing attacks, there are clues that the request might not be legitimate. I’ve written extensively on the topic of phishing already, but here are some of the key principles.
- Take Your Time: Phishing attacks often prey upon people in a rush. Don’t start clicking buttons or links without first looking to verify where those links will take you, or who the message came from. If you don’t know where a link will take you, the don’t click on it. Ask someone for help, or find some other way of getting where you need to go.
In this Google Docs phishing case, there were several clues that people caught and saved them from falling victim to the attack. For example, despite appearing to come from a person known to the recipient, the recipient was only a “BCC”. The message was sent to “firstname.lastname@example.org”.
Again, if there are people involved in the To, From, or CC fields that you do not recognize or seem suspicious then you should contact the sender to verify the authenticity of their request.
- Be Stingy When it Comes to Permissions: These days it feels like every app and website is asking to have you “Sign in with Facebook” (or Twitter, Google, etc.) The more places you allow to access those accounts, the more at risk you are for abuse. This is particularly noteworthy when it comes to Google. If you use Gmail for email, then pairing your Google account with other services can potentially give those places access to your emails. Read the permissions list very carefully before accepting.
- Don’t Take Log-in Shortcuts: If the service allows you to make an account for their site, rather than using a social sign-in, then always take that option unless you need to make use of the connected account feature. If it is just a painless way to log-in, and one less password to remember, then it isn’t worth the risk. Only connect accounts when you are going to utilize the connection in some meaningful way.
- Cybersecurity Starts with Your Email: Your email address is your most common username across the web. It is also the way to reset passwords to most of the services you use. If your email is compromised, then the attacker can typically use that account to reset your passwords on lots of other services. This is how you lose control of your online identity.
Be vigilant when it comes to protecting your email. Use every security layer and opportunity offered by your email provider and do your best not to click on risky links.