Here’s how the sneaky Gmail phishing attack fooled victims with a fake Google Docs app

Russian hackers resorted to a similar method to abuse the OAuth protocol to phish user accounts

Google Docs was force into a sneaky email phishing attack on weekday that was designed to trick users into let alone access to their Gmail accounts.
The phishing emails, that circulated for regarding 3 hours before Google stopped them, invited the recipient to open what gave the impression to be a Google Doc. The teaser was a blue box that same, “Open in Docs.”
In reality, the link crystal rectifier to a dummy app that asked users for permission to access their Gmail account.
Users may simply are fooled, as a result of the dummy app was truly named “Google Docs.” It conjointly asked for access to Gmail through Google’s actual login service.
The hackers were able to achieve the attack by abusing the OAuth protocol, how for web accounts at Google, Twitter, Facebook and different services to attach with third-party apps.
The OAuth protocol doesn’t transfer any secret data, however instead uses special access tokens which will open account access.
However, OAuth are often dangerous within the wrong hands. The hackers behind Tuesday’s attack seem to own engineered Associate in Nursing actual third-party app that leveraged Google processes to realize account access.
“The attack is kind of clever and it exploits the power for you to link your Google Account to a third-party application,” same Mark Nunnikhoven, vp of cloud analysis at security firm Trend small.
Exploiting OAuth for account access is especially devious as a result of it will bypass the necessity to steal someone’s login credentials or perhaps Google’s 2-step verification.
Last month, Trend small same a Russian hacking cluster called Fancy Bear was employing a similar email attack methodology that abused the OAuth protocol to phish victims.
However, security specialists same Tuesday’s phishing attack most likely wasn’t from Fancy Bear, a shadowy cluster that several specialists suspect works for the Russian government.
“I don’t believe they’re behind this … as a result of this is often approach too widespread,” Jaime Blasco, chief man of science at security supplier AlienVault, same in Associate in Nursing email.
On Tuesday, several users on Twitter, as well as journalists, denote screen shots of the phishing emails, prompting speculation that the hackers were gathering victims’ contact lists to focus on additional users.
The attack was conjointly sent through Associate in Nursing email address at “hhhhhhhhhhhhhhhh@mailinator.com.” Mailinator, a supplier of a free email service, denied any involvement.
Fortunately, Google raced to prevent the phishing attacks, once a user on Reddit denote regarding them.
“We’ve removed the faux pages, pushed updates through Safe Browsing, and our abuse team is functioning to stop this type of spoofing from happening once more,” Google same in an exceedingly statement.
Security specialists and Google advocate affected users check what third-party apps have permission to access their account and revoke any suspicious access. Users will do thus by visiting this address, or performing arts a Google security check-up.
It’s conjointly smart apply to take care around suspicious-looking emails. several hacking tries, as well as malware infections, come back through links or attachments sent over email.
Security companies square measure warning that different hackers could conduct similar phishing attacks abusing OAuth, not simply through Google, however with Facebook and LinkedIn.
“Like all different inventive, novel approaches, it’ll seemingly be heavily derived before long,” Cisco’s Talos security cluster same in an exceedingly journal post. Talos has known over 275,000 applications that use OAuth and connect with the cloud.
But albeit Tuesday’s attack could are novel, the risks with OAuth square measure hardly new. Security specialists have warned within the past that users could also be phished through manipulation of OAuth to grant permissions to the incorrect party.
In response to such attacks, Google same last month that it reviews any OAuth abuse and takes down thousands of apps that violate its user information policy, as well as those who impersonate company product.
Tuesday’s phishing theme can most likely push Google to adopt a fair stricter stance on apps that use OAuth, same Robert Graham, business executive of analysis company Errata Security.
However, the net large has got to strike a balance between guaranteeing security and fostering a flourishing app system.
“The additional vetting you are doing, the additional you stop innovation,” Graham same. “It’s a trade-off.”

Related Post