The latest phishing scam going around has tricked over a million google users into giving the scammers permission to their Gmail account, contacts, passwords, and emails.
On Wednesday evening, reports of a new sophisticated Gmail phishing attack started to flood Twitter and social media around the world. The attack appeared to be an invite to Google Docs and would bring the user to the Google account login page, then ask for the user to grant account permissions.
Once permissions were given by the user, the attacker would have access to their Gmail accounts, contacts, passwords, and emails. The phishing email would then be automatically sent to all their contacts, continuing the vicious cycle.
The attack was successful so fast because it bypassed many of the security protocols that email security services put in place to stop phishing and other malicious emails.
Luckily for The Email Laundry customers, the phishing email hit many of our fraudulent “Google Docs” rules, leading to the attack being quarantined before it could affect users.
Google has since released a statement saying that have resolved the issue, disabled offending accounts, and removed the fake pages.
Why did the email get past so many other email security company’s filters?
Phishing emails usually have identifiers that security companies can use to detect them before they reach the user’s inbox, these include:
- Suspicious content within the email, including phrases like “Wire-Transfer”
- Attachments that are in formats that usually contain malicious code or content
- Differing envelope senders and display senders
- Links containing bit-flipped and spoofed domains
- Such as goog1e.com
This attack bypassed these identifiers because it was sent from a legitimate email address (an infected contact), didn’t contain any suspicious phrases or attachments, and contained only authentic links.
How was it able to appear so legitimate?
Most phishing attacks will contain malware to infect the user’s computer, or will direct the user to a phished web page to collect their information; however, these attackers took advantage of Google’s integration with third party applications instead.
This means that the pages users were directed to were authentic Google pages, including the account log in screen.
If it used authentic Google pages, how did the actual phishing work?
The real kicker with this attack is that the developed third-party app was named Google Docs, causing users to assume they were giving permissions to the authentic Google service. Once the user gave the application their permissions it was able to quickly infiltrate their accounts and send it out to their contacts through their legitimate Gmail account.
What to do if you think you may be a victim
If you think your account may be compromised go to the permissions page within your Google account setting and revoke access Google Docs. It is also a good idea to change your password and turn on Google’s 2-Factor Authentication to help prevent future attacks.