Recent Google Docs Phishing attack is a win for Blue Teams

Despite spreading rapidly, the attack was stopped within an hour

Gmail Google Mail
Martyn Williams/IDG

On Wednesday afternoon, social media exploded with reports of a new Phishing attack targeting users of Google Docs. The attack was clever, centered on getting the victim to grant permissions to an application called Google Docs before spreading to the victim's contacts.

Fortunately, the attack didn't last long, thanks to the efforts of thoughtful users, Google, and Cloudflare.

Officially, Google issued a brief statement on the matter via Twitter and to various members of the media:

"We have taken action to protect users against an email impersonating Google Docs & have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail."

Blue Team Go!

Wednesday's attack was sudden, widespread – affecting Google and non-Google domains – and noteworthy for the way it worked. The goal was to get a user to authorize an App that would let the attacker have complete control over the victim's account.

Right up until it comes to the App authorization, the victim sees legitimate Google data and account details. The App itself is a clear fake, because "Google Docs" doesn't need authorization. So somehow, the App author (the one likely responsible for the attack itself) was able to give their creation a name that should be blacklisted.

At this stage, things get interesting. But if you're familiar with the concept of a Blue Team (the defenders of a given network and the users on it), the way things unfolded won't shock you. For those who are not familiar with the concept – today's attack is a classic example who why incident response is so critical.

"This story demonstrates how important it is to have effective incident response plans in place. Companies need to accept that in today's environment they will suffer a security breach and they will be judged on how well they respond and deal with the breach rather than the breach itself," said Brian Honan, Information Security Consultant at BH Consulting.

"Incident response teams need to test their capabilities regularly so they know how to operate during a breach, good training enables teams to respond well to breach scenarios they may not have thought about, such as this evening's event."

So what could have been a serious attack, resulting in massive account compromises, was over almost as soon as it started.

Awareness:

This attack started moving fast. At peak, the attack was generating about 155 messages per minute, around 3:15 p.m. EST on Wednesday. However, forty-five minutes later, the volume dropped off completely.

On Reddit, around the time the attack hit its peak, a user posted a full outline, warning others about the situation. Within moments, a staffer at Google took notice and passed the details over to engineering, who said they expected a fix within an hour.

While this conversation was happening, Cloudflare, where the attacker was hosting domains, started pulling them offline. On Twitter, users in the security community, as well as those with no ties to IT whatsoever started warning others about the situation.

At IDG, our IT team issued a warning to all staff about the incident. In Shrewsbury, a town in Worcester County, Massachusetts, the IT department at Shrewsbury Public Schools emailed parents, warning them and students about the situation.

Within ten minutes of the first report on Twitter, Cloudflare had disabled all of them. Soon after, Google disabled the App itself and started flagging messages in Gmail as potentially dangerous.

There is a clear connection between the rapid response of Google and Cloudflare, and the volume of warnings circulating online, to the short attack window available during Wednesday's incident.

Because response and awareness were synced so well, the number of people who fell for this attack is much smaller than it could've been – although no one is certain about the number of people who fell for the attack before it could be stopped.

The point is, end users are a valuable tool. When information spreads quickly – as long as it's accurate – the victim pool in a given attack drops significantly.

Another interesting observation centers on information sharing. As soon as word of the attacks started, people started collecting information and sharing it. This includes the domains used in the attack, the full URL form the Phishing email, and a copy of the source code.

Wednesday's attack was a clear win for the Blue Team, but it's also a warning.

This one was stopped quickly. However, the attack itself could have been a simple test, proving that it's possible to craft a solid Phishing attack using legitimate resources that people know and trust.

"Second, and more concerning, this attack allowed the OAuth owner access to all of the email content and contact information for every compromised victim of the attack. This means that the attacker potentially has access to all of the information within your account and the ability to read, send, delete and manage the email and contacts of the associated account," commented Nick Biasini on the Talos blog.

"Additionally, since OAuth was used, the typical protections like changing passwords has no immediate impact on the adversaries' access. Because of the success of this attack, we are likely going to see phishing attacks of this nature for the foreseeable future."

If you or someone you know was impacted by Wednesday's attack, disable the Google Docs application permissions under account settings. You can do this with Google's help, or by following the non-technical instructions posted here.

Send your comments to our Facebook page.

Copyright © 2017 IDG Communications, Inc.

What is security's role in digital transformation?