Yesterday was a bad day for some Google users. News spread quickly about a phishing attack within the Google system. Estimates now say only 0.1% of users were affected. But, at a billion users, that still equates to a million people that had their data security violated. Phishing attacks are nothing new, why is this one such big news?
The phishing hack spread via a google doc link that was emailed to gmail users. It appeared to be from another user wishing to share the doc. Those that clicked on the link were subject to data theft, although the actual intent of the hack is yet to be determined.
What makes this phishing attack so different?
"The attack appears to work by tricking you into logging into your actual Google account, then granting a third party (your attacker) access to your account's data. Having gained permission to access your contacts, the attacker then fires off spam invites to everyone in your address book.
What makes this attack so tricky to detect is that it takes advantage of Google's legitimate tool for sharing data with responsible third-party apps. Since the bogus invitation is being routed through Google's real system, nothing is misspelled, the icons look accurate, and it's hard to know something's gone wrong until it's too late." (Washington Post)
"The responsible group is "using an innovative type of credential phishing technique that takes advantage of the Open Authentication (OAuth) standard to gain back-end access to user email accounts.
This is a significant improvement in the traditional phishing lure. Because "OAuth phishing" avoids the typical red flags users have grown accustomed to with email phishing (that is, unfamiliar or spoofed URL link, sign-in request, or attached file), it is likely to have a higher rate of success and may even confound more experienced and competent users, such as upper management and those who have undergone security awareness training.
OAuth phishing exploits the trust relationship users have with well-known online service providers, as well as the trust relationship those providers have with their own third-party applications. By sending the target an OAuth permission request for an approved application, the attacker is able to bypass all of the traditional warning signs users have been trained to look for when opening emails. Therefore, the email redirects the user to a legitimate Web domain (example: accounts.google.com) that is hosted over an encrypted HTTPS connection. Additionally, there is no need for the user to enter a password because the app is using OAuth tokens instead.
Everything about this will look aboveboard to a person who doesn't have a background in security. Making matters worse, the attacker is able to maintain access to the user's email account even after multiple password resets, because the only way to expel him is to revoke access within the user's account settings." (Dark Reading)
We are witnessing the evolution of cyberattacks. This will not be the last OAuth-based attack we will see, more likely just the beginning. It is critical that you and your staff are trained on warning signs related to electronic content, and that training needs to occur regularly as threats evolve. Read our blog for tips, 8 Network Security Practices Your Staff Needs To Know.
You need to have a robust security infrastructure in place to protect your business' valuable data. Great Lakes Computer can help. We offer a full range of security measures from antivirus to backup and recovery, digital forensics, and even cyber liability insurance in the event a breach occurs. Contact us today if you're ready to take cybersecurity seriously.