By Chester Wisniewski, Principal Research Scientist, Sophos.
Just a few days ago, Google users were hit with an extremely convincing and sophisticated attack.
This has garnered a lot of attention where most of the headlines are calling this a phishing scam, when, in fact, it is not. According to Chester Wisniewski from Sophos, it is an attack on Google’s APIs. To clarify and provide a voice of reason, we’ve got the below commentary, to be attributed to Chester Wisniewski, Principal Research Scientist, Sophos.
Security firm Sophos has prepared the following commentary regarding the Google Doc news. If you’re working on an update to the story, here are some data points for your piece.
First and foremost, this is an abuse of Google’s APIs. While at first glance it appears to be a phishing attack, the emails come from Google and you are logging into the real Google.
Attacks on systems that are open for anyone to sign up as a developer using OAuth have been vulnerable to this type of attack for a long time, and the onus is on Google to do a better job vetting application developers. This is no different than the abuse of the Google Play store by malware authors.
There is very little individuals can do other than be forever suspicious about legitimate requests from services provided by Google, Twitter, Facebook and other online services that use OAuth with an un-vetted application developer program.
Twitter’s users were attacked using these techniques a few years back. Unfortunately, Google has also fallen victim to a similar attack vector. When users see official emails from Google and official login pages used in scams, this leads the goodwill Google has garnered from its users to be potentially damaged.
All providers of OAuth have a responsibility to police the use of their platforms to stop users from being tricked through official requests from services like Google, Twitter and Facebook. We do suggest that users keep an eye on social media. As the Google Doc “phishing” attempt demonstrates, Twitter is a great early-warning system.
There’s little doubt that the tweeted warnings saved people from being victimised.
As a reminder, users should check the apps they have approved to access their accounts and remove anything that may be suspicious on all OAuth-based platforms.
For Google it is under your Google account -> Sign-in & Security -> Connected apps & sites. On Twitter and Facebook it is Settings & Privacy -> Apps.
Here’s how this type of attacks worked:
1. You get a real email from Google saying someone wants to share a file with you.
2. You get sent to a real Google login page and sign in.
3. You get a prompt that an "add on" wants access to your mail and contacts. The developer name is listed as "Google Docs," but it could say anything (this is where Google could do more to prevent this).
4. The only way to attempt to check if it is real is to click on "Google Docs" and see the actual account creating the request, but it could say many believable things and there is no specific thing to watch for.
The only reliable way to not fall victim is to never accept apps connecting to your account and requesting access to read/write your mail and contacts, or just about any other thing they might request access to unless you are specifically trying to hook into some new service, which you still may not be able to trust.
When attacks like this happen, it’s a good reminder to go back to your social media accounts and review what applications you’ve given permission to access your information and revoke permission if you no longer trust or use that particular app.