What we can learn from the Google Docs hack
FYI, this story is more than a year old
An interesting new phishing attack emerged last week, on Google Docs.
“The vulnerability was exposed for only about one hour, and a spokesperson told NBC News that it affected ‘fewer than 0.1 percent of Gmail users’ — which would still be about a million.”
In a nutshell the attack worked like this: You receive a link from one of your contacts sharing a Google doc. Click, and the link takes you to the real Google Security page, where you were asked to give permission to a fake application (this one posing as GDocs) to manage your email.
It also replicated itself by sending the same link out to all contacts in your list, causing the attack to spread rapidly. So what can we do about this?
Let me introduce an unnamed friend of mine, T.C. He is a hard working, experienced system administrator who cares greatly about his company and security. T.C. has an advantage over other sysadmins - he knows an awesome information security professional who always talks about attacks and sophistication.
T.C. fell for this attack and notified me. I asked him to let me use this information to help better inform the community about these types of attacks.
Remember, don’t be embarrassed about falling victim. The more we talk about how these things happen the better we will be.
I received an email in my inbox at 11:47 am on May 3 with the following subject: T.C. has shared a Google doc with you.
Although we I have been friends for ages, I wasn’t expecting a Google doc from him. In fact, we had never shared anything on Google docs. While I would have questioned this email, luckily I was out at lunch and didn’t really pay attention to it.
I received the next email at 12:03 pm from TC with the following subject: SPAM
And the following message: “Folks, do not open the Google docs email I supposedly just sent. Even IT guys get caught sometimes.”
Ten minutes. From click to the next email stating that he got caught by the scammers. T.C, is a smart guy who pays attention. So how did he get caught?
“I had not heard of anything going around,” he said. “Although my normal channels of web surfing did show that something was going around, it had not been highly publicised. I received the email and thought it was weird that I received something from my cousin who has never sent me anything. It looked pretty legit. But I did my due diligence and looked at the hyperlink.”
In this particular attack, the hyperlink was a legit Google hyperlink so he thought he was good to go. So far with the Google authorising page this all seemed fairly normal.
So T.C. had legitimate reasons to believe his cousin had sent the mail. He had legitimate reasons to believe the email wasn’t an attack based on the hyperlink. He had heard nothing about this type of attack on news feeds.
At this point, T.C. says: “It seemed good. It was going to Google and seemed legit so I clicked. It took me to a Google auth page. I thought that is pretty normal. If I am going to be getting a shared doc, I would need to authenticate. Especially when we put in account expiration times, meaning most users would have to re-authenticate at least once a day to the service. I then put in my password and arrived at some weird page.
“I started to dig in and I get an email from somebody else that says: ‘Fid I mean to send them spam?’ I knew I had probably fallen for it.
“I then looked at my sent items and it BCC’ed all my Google contacts. I knew at this point I had fallen for it. Immediately I sent a follow up email that said to disregard the first.”
Then the cleanup began.
“I then did more research and found out about removing Google docs from my list of approved apps because Google docs just being there was wrong. I started rotating all of my passwords.”
From click to realisation took less than five minutes. From the spread to the follow-up email was about 10 minutes.
So what can we learn from this attack and from TC’s tale?
The sophistication of attacks will continue to increase. Attackers know that misspelled, non-legit emails are attracting few results. As an industry, we have been educating users on being wary of email links. The attackers know this and will continue to launch more and more sophisticated attacks to dupe users. We should use these types of attack in our education program for users.
Most of this education advises hovering over the link or verifying that it has a legit source. In this case it was, so we should increase and update our education.
Email will continue to be a top vector when it comes to breaching systems. If a 20-year IT pro can fall victim, what chance does someone in accounting have? As an industry, we have relied far too heavily on email for far too long. We need to begin to look seriously at other communication modalities to help protect against these types of attack.
Email has plenty of flaws and some organisations have gone to other modalities for internal communications. We need to move away from email. There are better more secure solutions out there for communications.
Also we seem to forget the verify portion of ‘trust but verify’. Had T.C. called or texted his cousin to see if he sent the fake email, it could have been avoided. If you receive something unexpected, verify with the sender that they sent it. Yes, this takes diligence and time but it will keep your data from being at risk.
Lots of users use Gmail or their Google account as their primary account. This is used for other services to provide log-in information. If an attacker gains access to your Google, account you can bet they have access to lots of other systems you use. Consider where your password resets go? Do they go to your Gmail account? If so, and you fell for this attack, you should rotate all passwords immediately. If an attacker has access to your Gmail, they have access to anything you use it for. Keep that in mind as you link accounts.
Many companies, especially those with remote employees, rely on Google docs to collaborate. Ask yourself: “What’s in Google Drive and what could the bad guys have access to? If this type of attack happens, do you even know what your organisation’s exposure is? Such an attack is more likely to work in organisations that share data via Google Docs all the time.
For T.C. and a tonne of infosec and information technology teams, lots of time was spent on the internal clean up. Some organisations found up to 35 different unique variants. Internal teams were pulling emails out of in-boxes on the backend and in some cases using defence in depth to block bad domains associated with the attack.
Consider the clean-up effort you or your team went through. Now begin to drill those scenarios with your teams to get better and faster next time. Use this to test business continuity and disaster recovery in conjunction with a security incident. Do a table top. What if this were more malicious? What if your team were dealing with simultaneous multiple attacks. Be prepared for these scenarios. They will continue to happen.
If you are like T.C. and his organisation, you should lock down Google so that you cannot share contacts and content with anyone outside your organisation. This is fairly easy to configure and would help to protect against such attacks.
This latest attack wasn’t all bad though. Valuable lessons can be learned from each attack.
Note that the first public post from a ‘friend’ on Facebook who doesn’t work in information security appeared within a half an hour of T.C. sending me the warning email. We are getting better about notifying the public and the public are listening.
Let me also commend Google for moving as fast as possible on this type of attack. As of yesterday, Google said it had ‘disabled’ the malicious accounts and pushed updates to all users.
Article by Rick McElroy, Carbon Black.