Google Neutralizes Phishing Scam

A phishing scam that surfaced recently used Google Docs in an attack against at least 1 million Gmail users.

However, that amounted to fewer than 0.1 percent of Gmail users were affected, according to the company.
Google last year put the number of active monthly Gmail users at more than 1 billion.

Google shut down the phishing scam within an hour, it said, through both automatic and manual actions. It removed the fake pages and applications, and it pushed updates through Safe Browsing, Gmail and other anti-abuse systems.

Users did not need to take any action on their own in response to the attack, Google said, but those who wanted to review third-party apps connected to their account could do so at its Security Checkup site.

Anti-Phishing Security Checks

Coincidentally, Google this week introduced a new anti-phishing security feature to Gmail on Android. The new tool delivers a warning when a user clicks on a suspicious link in an email message, alerting them that the site they're trying to visit has been identified as a forgery. Users can back away or continue to the site at their own risk.

Google is gradually rolling out the new feature to all G Suite users.

How the Docs Attack Went Down

This week's Docs attack was an effective approach to luring users before Google clamped down.

People got an email from someone they knew inviting them to click on a link to collaborate on a Google Doc.

Clicking on the "Open in Docs" link redirected them to a Google OAuth 2.0 page to authorize the Google Docs application, which was a fake.

The application stated that Google Docs would like to read, send, delete and manage the recipient's email and manage their contacts -- requests common to several applications that use Google as an authentication mechanism.

Once the permission was granted, the attacker gained access to the victim's address book, which allowed the attack to go viral swiftly.

The OAuth Vulnerability

The attack leveraged OAuth, "a ubiquitous industry standard protocol [that provides] a secure way for Web applications and services to connect without requiring users to share their account credentials with those applications," said Ayse Firat, director of analytics and customer insights at Cisco Cloudlock.

"Because it's so universally adopted by almost all Web-based applications and platforms, including consumer as well as enterprise applications such as Google Apps, Office 365, Salesforce, LinkedIn and many others, it provides a broad attack surface," she told TechNewsWorld.

OAuth 2.0 is highly sensitive to phishing because every website using it asks end users for the username and password of their master identity. Cisco CLoudlock has identified more than 275,000 OAuth apps connected to core cloud services, such as Office 365, compared with only 5,500 three years ago.

OAuth-based attacks "bypass all standard security layers, including next-generation firewalls, secure Web gateways, single sign-ons, multifactor authentication and more," Firat cautioned.

The Ramifications of Using OAuth

With software vendors increasingly putting their applications in the cloud, how great a risk do OAuth's vulnerabilities pose for end users?

"Most cloud services are pretty secure, and OAuth-based attacks likely will not be successful if services depending on the protocol are otherwise secured," said Michael Jude, a program manager at Stratecast/Frost & Sullivan.

OAuth authentication "is bigger than just online apps," he suggested. "It's also a basic establishment protocol that could become important in social media efforts to become more akin to common carriage operations for communications."
OAuth "has to be done right, or there's no future for social media-mediated communication services," Jude warned.

Protecting Against OAuth-Based Attacks

Organizations need to develop a high-level strategy as well as a specific application use policy to decide how they will whitelist or ban applications, and share this vision with their end users, Firat suggested.

Individual users should go into their Google account security settings and revoke permissions to applications they don't know or trust, she recommended. They also "should never grant permissions to applications that request excessive access."

Efforts have been launched to incorporate stricter security requirements into OAuth, Frost's Jude said, "but I haven't heard of any particular availability."

TechNewsWorld:

You Might Also Read:

Why SMEs Need Cyber Insurance:

Fake Microsoft Phishing Scam:

Why Spear-Phishing Hacks Are So Successful:

 

 

 

« Government Sponsored Cyber-insecurity Is A Gift For Hackers
Intelligence In The Age of Cyber Warfare »

Perimeter 81

Directory of Suppliers

WEBINAR: How to build an effective Cloud Threat Intelligence program in the AWS Cloud

WEBINAR: How to build an effective Cloud Threat Intelligence program in the AWS Cloud

Thursday, Jan 28, 2021 - Join this webinar to learn how to improve your Cloud Threat Intelligence (CTI) program by gathering critical cloud-specific event data in the AWS Cloud.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Cyber Security Service Supplier Directory

Cyber Security Service Supplier Directory

Free Access: Cyber Security Service Supplier Directory listing 5,000+ specialist service providers.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Malta Information Technology Agency (MITA)

Malta Information Technology Agency (MITA)

MITA is the central driver of Government Information and Communications Technology (ICT) policy, programmes and initiatives in Malta.

SAASPASS

SAASPASS

SAASPASS is a full-stack identity and access management solution, a single product which allows you to manage all your digital and physical access needs securely and conveniently.

Secure Chorus

Secure Chorus

Secure Chorus is a not-for-profit membership organisation for the development of strategies, common technology standards and tangible capabilities in the field of information security.

Naoris

Naoris

Naoris is the world’s first holistic blockchain-based cybersecurity ecosystem, bringing a game-changing solution to address 35 years of industry similar practice.

GuardRails

GuardRails

GuardRails provides continuous security feedback that empowers developers to find, fix, and prevent vulnerabilities.

Vilnius Tech Park

Vilnius Tech Park

The region‘s most complex and integrated ICT hub, Vilnius Tech Park aims to attract and unite innovative talent from big data, cyber security, smart solutions, fintech and digital design.

Business Hive Vilnius (BHV)

Business Hive Vilnius (BHV)

BHV is one of the oldest startup incubator and technology hubs in the Baltics, primarily focused on hardware, security, blockchain, AI, fintech and enterprise software.

Adlumin

Adlumin

Adlumin's cloud-native SIEM is built exclusively for financial institutions to help manage evolving threats and cybersecurity compliance requirements.