By Greg Leffler
Google recently made an unprecedented move by widely announcing a Gmail phishing scheme through Twitter. Learn more in our video below, and check out Google’s tweet.
The phishing message was especially nasty because of its polish. Uncharacteristically for phishing, there were few errors in the message, and it was created in a way that made it quite enticing to click on the “Google Doc” link and see what you were ostensibly sent from a trusted sender — someone in your contacts list, or in your organization.
Since the messages were sent by the attacker using OAuth credentials attached to legitimate Google accounts, the messages appeared to be (and technically were) from actual people that you should know, including showing their photo. Even checking the received headers and other technical steps you could take to verify the provenance of a message showed the message was legitimately sent through GMail… because it was. Clicking the “Open in Docs” button sent you into an OAuth flow asking for permission to tie your Google Account to a (fake) app called – wait for it – “Google Docs”. After receiving that, the fake app then requested access to your Gmail account. Once it had those permissions, it automatically started to mail the link to itself to everyone in your address book (then deleted the sent messages to try to avoid leaving a trace) – and if anyone clicked the link and authorized the app, it sent itself to all of those people, etc. etc. etc.
What lessons should we learn from this?
- Google absolutely must introduce at least some degree of filtering in OAuth application names. There is zero excuse for Google to let an app called “Google Docs” that isn’t from them ask for permission to connect to your account.
- Google should have noticed the behavior of this app and stopped it much more quickly than it did. Google appeared to respond to the attack and disable the fake OAuth app within a few hours, but automated systems should look very suspiciously upon any “app” that reads someone’s entire contact list and then attempts to send hundreds of emails. The legitimate use case for that seems pretty nonexistent.
- Users (that’s you) need to learn to never click on links in emails you aren’t expecting, and also to never grant access to your Google account to someone in response to an email you get, especially if they’re asking for access to your contacts or emails. There’s no legitimate reason to require this. I know, I’m screaming out “HEY USERS, BE SMARTER,” which doesn’t work. But: Hey, users, be smarter.
The payload of the attack appeared to just replicate the message (and phone home to Google Analytics to calculate statistics on how many suckers got hit,) from what little analysis we’ve seen, but there is real reason to be concerned. Access to your Gmail account is equivalent, in a lot of cases, for access to your entire digital life.
The attack payload could have waited to get a high-value account and forged a message saying basically anything. It could have read your email inbox and sent any message anywhere for its own analysis later. It could have emailed all your contacts your match.com messages, or emailed your boss your LinkedIn activity. Some versions of the attack even asked for Google Drive access – providing an easy way for the attacker to steal company secrets or proprietary data… or just delete it all and ruin your day.
We all really dodged a bullet here, but we need to continue to be vigilant. Be extremely cautious allowing anything access to your email account – if not for your own sake, for the sake of everyone who emails you.