The Google Phishing Attack, Explained


Google recently made an unprecedented move by widely announcing a Gmail phishing scheme through Twitter.
The phishing message was especially nasty because of its polish. Uncharacteristically for phishing, there were few errors in the message, and it was created in a way that made it quite enticing to click on the "Google Doc" link and see what you were ostensibly sent from a trusted sender — someone in your contacts list, or in your organization.
Since the messages were sent by the attacker using OAuth credentials attached to legitimate Google accounts, the messages appeared to be (and technically were) from actual people that you should know, including showing their photo. Even checking the received headers and other technical steps you could take to verify the provenance of a message showed the message was legitimately sent through GMail... because it was. Clicking the "Open in Docs" button sent you into an OAuth flow asking for permission to tie your Google Account to a (fake) app called – wait for it – "Google Docs". After receiving that, the fake app then requested access to your Gmail account. Once it had those permissions, it automatically started to mail the link to itself to everyone in your address book (then deleted the sent messages to try to avoid leaving a trace) – and if anyone clicked the link and authorized the app, it sent itself to all of those people, etc. etc. etc.
What lessons should we learn from this?
  1. Google absolutely must introduce at least some degree of filtering in OAuth application names. There is zero excuse for Google to let an app called "Google Docs" that isn't from them ask for permission to connect to your account.
  2. Google should have noticed the behavior of this app and stopped it much more quickly than it did. Google appeared to respond to the attack and disable the fake OAuth app within a few hours, but automated systems should look very suspiciously upon any "app" that reads someone's entire contact list and then attempts to send hundreds of emails. The legitimate use case for that seems pretty nonexistent.
  3. Users (that's you) need to learn to never click on links in emails you aren't expecting, and also to never grant access to your Google account to someone in response to an email you get, especially if they're asking for access to your contacts or emails. There's no legitimate reason to require this. I know, I'm screaming out "HEY USERS, BE SMARTER," which doesn't work. But: Hey, users, be smarter.
The payload of the attack appeared to just replicate the message (and phone home to Google Analytics to calculate statistics on how many suckers got hit,) from what little analysis we've seen, but there is real reason to be concerned. Access to your Gmail account is equivalent, in a lot of cases, for access to your entire digital life.
The attack payload could have waited to get a high-value account and forged a message saying basically anything. It could have read your email inbox and sent any message anywhere for its own analysis later. It could have emailed all your contacts your match.com messages, or emailed your boss your LinkedIn activity. Some versions of the attack even asked for Google Drive access – providing an easy way for the attacker to steal company secrets or proprietary data... or just delete it all and ruin your day.
We all really dodged a bullet here, but we need to continue to be vigilant. Be extremely cautious allowing anything access to your email account – if not for your own sake, for the sake of everyone who emails you.
https://www.linkedin.com/pulse/google-phishing-attack-explained-greg-leffler?trk=eml-email_feed_ecosystem_digest_01-hero-0-null&midToken=AQGXVcoVMo9TCQ&fromEmail=fromEmail&ut=0siMdK9AGXY7I1

Comments

Post a Comment

Popular posts from this blog

Osun State University in Collaboration with British Computer Society

is offering   The British Computer Society Chartered Institute of IT Professionals Foundation in Business Analysis On successfully passing the examination, candidates will be awarded the Chartered Certificate of the Foundation in Business Analysis Candidates will also be awarded Associate Membership of the Chartered IT Professional (CITP) Registration is on !!! Registration can be made through the following link   https://docs.google.com/forms/d/e/1FAIpQLSc95O9kEpLfxtqpwV5ofhS-qVv3AlDk7T2SfVRRMm829-VKEw/viewform Note: F ee offered by Osun State University is very much less than the amount offered by the body in the UK. T his is because UNIOSUN is an accredited training provider (ATP). Examination date: September 28, 2020 Examination is online based accessible through individual computers Lecture materials can be obtained by enquiring email: patrick.ozoh@uniosun.edu.ng There are periodic classes on Skype Send enquiry to patrick.ozoh@uniosun.edu.ng  
Read more

Database PowerPoint Presentation Lectures by Dr Patrick Ozoh Dept of ICT Osun State University

A transaction is a sequence of DML commands that forms a logical unit of work Example: transferring money from one bank account to another Transaction Management A transaction is a sequence of DML commands that forms a logical unit of work Example: transferring money from one bank account to another Some Definitions Atomicity - a transaction must execute completely or not at all Consistency - once a transaction completes successfully, the database must be in a consistent state Isolation: A transaction must not be affected by other transactions that are executing concurrently Durability: Once a transaction compketes successfully, its effect must persist even in the presence of system failures Concurrency control Concurrency control is a database management systems (DBMS) concept meant to coordinate simultaneous transactions while preserving data integrity. Control protocols ensures atomicity, isolation, and serializability of concurrent transactions Concurrency control protoc
Read more

Osun State University in Collaboration with British Computer Society

Become a BCS Associate member for free on gaining a certification and enjoy all the benefits of membership Gain an internationally- recognized  certification, enabling you to take your skills around the world Map your skills and identify your goals along your career path by following the SFIAplus industry-standard framework Get certified !!! The British Computer Society Chartered Institute of IT Professionals Foundation in Business Analysis Register using the following link https://docs.google.com/forms/d/e/1FAIpQLSc95O9kEpLfxtqpwV5ofhS-qVv3AlDk7T2SfVRRMm829-VKEw/viewform Lecture materials can be accessed freely by joining the following link https://chat.whatsapp.com/9n1rTFD8dM97pLYJVEZQec  
Read more