Attacks/Breaches
5/4/2017
04:50 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

Google Docs Phishing Scam a Game Changer

Experts expect copycats that take advantage of passive authentication from third-party applications using standards such as OAuth.

The Google Doc phishing scam that conned over a million users this week illustrates how attackers cleverly respond to wider spread end-user awareness about how phishing attacks work.

The attack didn't ask users to enter credentials. Instead, it exhibited very few traditional phishing scam behaviors and couldn't have been detected by endpoint protections. Some researchers are calling this attack a "game changer" that could be just the start of a new wave of attacks that take advantage of third-party authentication connections rampant in the cloud services-based economy. 

The attack tricked victims into clicking a link that gave attackers access to their Google Drive through OAuth authentication connections commonly used by third-party applications. The attackers did so by sending victims lure messages claiming to contain links to a shared Google Doc.

Instead of a legit document, the link actually initiates a process to give a phony app masquerading as "Google Docs" access to the user's Google account. If the user is already logged into Google, the connection routes that app into an OAuth permissions page asking the user to "Allow" access to the user's legitimate Google Drive.

"You aren't giving your Google credentials directly to the attacker. Rather, OAuth gives the attacker permissions to act on behalf of your account. You're on the real Google permissions page. OAuth is a legitimate way to give third-party applications access to your account. The application name is 'Google Docs,' which is fake but convincing," says Jordan Wright, R&D engineer for Duo Security. "So unless you know that Google Docs won't ask for your permissions, there is little you could use to determine that this was fake."

Wright says that the attack exhibits worm-like behavior, using previous victims as the supposed sender of new scam messages to lull victims into a sense of security.

The lure emails appear to come from Google Drive from a previous victim, making it difficult to detect as a fakeout, says Travis Smith, senior security researcher at Tripwire.

"Not only does this have a casual appearance of being legitimate, by being part of the official marketplace the link in the email went back directly to legitimate Google servers," says Smith. "For those that are trained to validate the link before clicking on it, this passes two of the common techniques the majority of internet users are trained to not click on every link they come across: 'Does it come from someone you trust and validate the link is going to a trusted source?'"

The only big tip-off is that many of the messages seem to have an suspicious account, [email protected], cc'd on the message, says John Bambenek, threat research manager at Fidelis Cybersecurity. He says the attack shows the glaring problem with OAuth, namely that it allows passive authentication.

"We talk about passwords and password security, but we don't really think a lot about these third-party apps we give access to," he says. "On Facebook and Twitter you fill out those dumb quizzes that give full access to everything in your Facebook account, but they're not thinking about handing that data to third parties. This is a case with the same dynamic."

It's a tricky situation for enterprise security professionals seeking to safeguard their users because there is no quick fix here, says Ravi Balupari in a recent analysis for Netskope.

"There has been no use of any malicious file for infecting, propagating, or data exfiltration. In this particular attack, all these phases have now transformed into using Google Gmail application and all the network traffic looks legitimate proving traditional network security devices incapable of protection," Balupari says. "There is absolutely no role of endpoint security products to detect and protect against such an attack."

Netskope's analysis found that a number of enterprise users across various industries ended up falling prey to this attack. Google worked to quickly block the attack, but there was a window of opportunity in that time between compromise and mitigation where emails, contacts, attachments and whatever else on a Google account could have been purloined, he warns.

"If an enterprise has identified that their users have granted access to the app in this attack, we recommend they conduct a full audit of the activities that were performed in Google Gmail after the permissions were granted to the app," Balupari writes. 

New Rules

The larger lesson to be learned here is that as phishing awareness campaigns grow more successful, attackers aren't going to take their ball and go home. Instead, they're changing the rules of the game.

"This is somewhat of a game changer in the sense that there is little to point to as malicious," says Mounir Hahad, senior director of Cyphort Labs. "Any app out there can use Google’s API for authentication. For Google to respond to this kind of phishing attack is like a game of whack-a-mole. The widespread attacks will be relatively easy to identify and to respond to, but the more targeted ones will fly under the radar for a while."

Security professionals should consider this a proof-of-concept for OAuth phishing in the future.

According to researchers at Cisco, it is only a matter of time before copycat attacks against a wide range of cloud-based storage provider users starts cropping up. That's troubling considering current user behavior. According to the Dell End-User Security Survey, more than one in three employees will frequently open emails from unknown senders at work, and 56% of employees use public cloud services such as Google Drive, Dropbox, iCloud, and others for sharing or backing up their work. 

While enterprises figure out how to deal with these threats technically, it is important to get users thinking critically not only about where they enter their credentials but also to whom - and to what - they assign permissions.

"This campaign is an example of how an attacker doesn’t need to ask you for your username and password to gain access to your account. When looking at something asking you for permissions, don't approve out of habit, take a look and think why you would need to give something those permissions," Wright says.

For example, a discerning user would know that Google Docs doesn't ask a user to provide access to Google Docs.

"It already has it, essentially, as that's the nature of signing up for the service," says Nathan Wenzler, chief security strategist at AsTech, a security consultancy. "A quick moment to check before clicking on the link may reveal that it's not going where you expect or where it advertises itself to go."

Additionally, enterprise IT needs to think about ways to mitigate these kinds of attacks in the future, including better segmentation and internal access controls to data, experts say.

--Kelly Jackson Higgins contributed to this article.

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
5/8/2017 | 4:08:12 PM
Best Mitigation
will be identity governance.  Control access, certify access periodically, identify rogue and orphan accounts, revoke access/accounts when needed.
macker490
50%
50%
macker490,
User Rank: Ninja
5/6/2017 | 7:50:29 AM
same 2 fundamental issues
the attack exploits the same 2 fundamental issues

 

(1) failer to authenticate source of message

(2) vulnerable operating software

 

PGP/GPG has been available now for years -- since the 90s.    the problem of authentication in a digial net will not be solved until PGP/GPG is adopted as a General Practice.    2FA doesn't do it.   ( read hack stories on ss7 this week )   .    biometrics don't help -- the digital representation of your fingerprint can be stolen just like a copy of your SSN.    but you can't change your fingerprint   ( unless you wear a latex "forgery" fingerprint ) like you can your password

 

at least adopt PGP/GPG.     these can be incorporated into (e.g.) Outlook, Thunderbird, Echelon, Claws.   once configured   ( IT Job ) -- it's easy to use ---- ALL THE TIME

to do it isn't trivial: you have to learn how to verify identifications ( "keys" in PGP/GPG ).   alas,   that is what this problem is all about.

as far as the o/s goes -- avoid using an o/s that is easily compromised.    you know what i'm talking about
AcklenX
100%
0%
AcklenX,
User Rank: Apprentice
5/5/2017 | 11:26:43 AM
The endpoint under attack is the user

The endpoint under attack is the user.  And users need an update that helps them protect against these types of attacks.  If users think that knowing the sender means they can trust the email... they need an update (specific, relevant training), because that's just not true (e.g. have you never received an email from a trusted friend asking you to wire money because they were robbed while traveling abroad and now they're stuck?). Likewise, if you think you can trust the url you see in the address bar because it starts with https and has a green lock next to it, you need an update (e.g. Phishing with Unicode Domains).

Security awareness training doesn't cut it.   It's too slow to create a "patch".  Better offerings allow peers to report phish they detected, that their peers may have missed, but who clicked first? That software is even slower pushing new training to users (how often do you go through the security awareness training?).  And all of that can only happen after the compromise has occurred (perhaps to you), been detected, analyzed, remediated, packaged, pushed, and applied(more training).  And these are people we're talking about, so even if it's been pushed, they may not apply the new information pushed to them.  

And that's the real problem... training does nothing the protect you if you don't apply it.  Coupled with the recognition that secure web/email gateways don't cut it either ("There is absolutely no role of endpoint security products to detect and protect against such an attack"), and it's pretty clear that the only fix is to patch users and enforce the application their updated knowledge in the real world.  

The users are the endpoint, and the security software has to run on them. 

 

Quincy

 

 

Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I've seen worse.  Last week Tim had a dragon."
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.