PiChris - Fotolia
Google has been praised for its swift action in shutting down a phishing email campaign that the company said reached about a million of its users even though it was blocked in an hour of being reported.
“While contact information was accessed and used by the campaign, our investigations show that no other data was exposed,” Google said in a statement.
“There’s no further action users need to take regarding this event. Users who want to review third-party apps connected to their account can visit Google Security Checkup.”
Google said it had taken action to protect users against an email impersonating Google Docs, had disabled offending accounts, removed fake pages and pushed updates through Safe Browsing.
“Our abuse team is working to prevent this kind of spoofing from happening again,” the company said.
The phishing campaign was reportedly enabled by exploiting a vulnerability in Google’s system that allowed the scammers to create a non-Google web app called “Google Docs”.
This is a prime example of a phishing attack using personal email to bypass corporate filters, said Brian Hanrahan, product manager at security firm Avecto.
“We’ve seen malware adapt to improving detection by switching tactics, and we can expect that phishing campaigns will resort to sophisticated, personalised social engineering campaigns to bypass technical and human detection,” he said.
The key takeaway, said Hanrahan, is that the attack uses low-risk file viewing activity to lure users to share credentials that they may not view as sensitive information.
Google offers comprehensive, easy-to-use multi-factor authentication options, he said, that would stop re-use of account credentials if stolen, and encouraged users of online services to use multi-factor authentication wherever it is available.
“Moving forward, we expect to see a broader range of phishing campaigns using messaging apps and social media to bypass corporate filters, and user awareness training is essential to make people an effective part of the kill chain,” said Hanrahan.
A ‘new breed of attack’
This attack is “different and scary” because of its ability to evade common defences and use Google application programming interfaces (APIs) to trick users into granting access, said John Wilson, field chief technology officer at email security firm Agari.
“The attack didn’t directly try to steal usernames and passwords like a typical phishing scam, but rather tricked users into allowing complete access to their email account,” he wrote in a blog post.
The risk to anyone who clicked on the fake Google Docs link, said Wilson, is that the cyber criminals behind the phishing campaign can use victims’ identity in an infinite number of ways, including scamming co-workers or relatives and resetting bank account passwords to steal money.
Anyone who clicked on the fake link should remove any apps connected to their account that they do not recognise, he said, through their account security settings.
Business G-Suite administrators should open their Google Admin page and go to reports, then token to run a search for any apps installed on 3 May and revoke that app.
Wilson warned that this is likely the first of a new breed of attack, pointing out that other email systems such as Microsoft Office 365 have similar app plugin systems that could be used to mount similar attacks on larger enterprises.
This phishing campaign is a “stark reminder” of the importance of a multi-layered security approach when moving email to the cloud, said Dan Sloshberg, cyber resilience expert at email security firm Mimecast.
“It also highlights the need for ongoing education to help users spot the tell-tale signs of suspicious emails before clicking links or opening attachments. Employees must exercise the same caution when opening mail on personal email accounts as they do their corporate mail when using a work-issued PC.”
Organisations still fail to address phishing attacks, says report
The latest Verizon data breach investigations report (DBIR) highlights the continued threat that phishing poses and the increase in use of this form of attack.
The report shows that many organisations are still failing to deal with phishing attacks, despite the fact that the 2016 DBIR flagged the growing use of phishing techniques linked to software installation on a user’s device.
In the 2017 report, 95% of phishing attacks follow this process, with 43% of data breaches using phishing, which is commonly used in both cyber espionage and financially motivated attacks.
Phishing was present in 21% all security incidents, up from just 8% the year before, which analysts ascribe to the success rate it delivers.
The data shows that 7.3% of phishing attacks were successful, resulting in the victim clicking on a link or email attachment sent by cyber criminals. Worse still, 6.5% of victims fell into the trap a second time, and 2% clicked more than three times.
The report also found that 81% of hacking-related breaches succeed through either stolen, weak or easily guessable passwords, which could easily be prevented by better password-hygiene, greater awareness of phishing or the use of two-factor authentication.
The most susceptible industry to phishing, according to the report, was the manufacturing sector, closely followed by information, retail and healthcare.
Read more about phishing
- Whaling attacks take phishing to the next level with much bigger targets.
- Companies should educate employees not to connect to strangers on social media to reduce the risk of phishing attacks, Intel Security has warned
- Phishing is no longer just a consumer problem, say experts. The scams are hurting companies’ reputations and bottom lines.
- Targeted malware attacks and social engineering schemes such as phishing and whaling pose a growing security threat because cybercriminals are getting help from unwitting users.