Last week’s Google Docs phishing attack sent waves across social media, as users including journalists, academics and employees from high-profile corporations were affected.
As part of the phishing attempt, users received an email with an invite to a Google Doc that appeared to be from a person they would know. The email then directs users to authorize a fake Google app that’s hosted on an actual Google page. Once the app is authorized, the attacker can then draw from a user’s contacts to send the offending email to even more people.
Google has since clamped down on the exploit, but the attack’s quick scale is a strong reminder about how difficult phishing attacks can be to spot. Phishing refers to an email or other message from a third party that imitates being from a reputable source, but which wants to deceive you into revealing personal information or credentials.
International Business Times talked with Betsy Cooper, executive director of the Center for Long-Term Cybersecurity at the University of California, Berkley, about phishing and the Google Docs attack.
What do hackers traditionally do with data gained from phishing attacks?
Betsy Cooper: What happened in this case is that essentially, people received an email that looked like it came from someone within their network, because that person in turn had basically fraudulently given away their contact information. And so, you get an email that looks like it’s coming from someone that you know and it asks you to click on a Google document. And when you click on that, it actually apparently was installing some sort of application on your device that would give it access to your Gmail account and to your contacts, as well as the password that you had used for that account.
So in essence, what the scammers are hoping to get out of this is first, access to your contact network so they can spam more people and make it look like it comes from someone that those people know. And second, they’re hoping to get some sort of information like passwords, which a lot of people reuse in multiple places, which makes it even more exciting because once they get the password for one thing, they might be able to get access to other aspects of the person’s online life.
How are phishing attempts like the Google Docs attack able to spread so quickly?
BC: A sophisticated attack will do the best it can to make it look as though it’s coming from the real source, so in this case, the email that people received looked like it could have come from Google Docs. It wasn’t exactly identical, but it did look similar to Google Docs and that encourages people to have a sense of security that this is a legitimate message. Second, of course, is the familiarity of the person, so they use peoples’ contact lists to encourage you to recognize that it was someone from your network, so you’re more likely to trust the message and click on it then.
On the other hand, there are certain flags: oftentimes, spammers have typos or they look illegitimate. There was one such flag in this message, which is that it had sort of like a bunch of Hs, it was also sending to a bunch of Hs at protonmail or something like that [referring to the original Google Docs email being addressed to email@example.com], so in that case, that’s a flag because you don’t normally get emails that look like that, so that signals that something’s up.
And if you looked at the certificate as well, the certificate did not seem to come from Google, it seemed to come from something that was made to look like Google but it didn’t look quite right as well. So, somebody who dug into the source of the email might’ve seen something funny, so those were two flags on the other side and the fewer flags that you have to decrease your comfort, the more likely it is that more people are going to click on the email.
The Google Docs email also used a sophisticated approach to mimic an official Google page. Is this unique for phishing attempts?
BC: I wouldn’t say it’s common, but it definitely exists. More broadly, it’s a very common technique of phishing schemes to try to pretend that it is an organization with which you engage regularly: your bank or your email client or something like that in order to try to get you to have that level of comfort that you want to input your information. So, I think that more generally is quite common even if Google Docs itself isn’t the most common source.
Finally, I think the requesting permissions was another flag. Normally, if you just log into a Google Doc, you don’t have to give permissions, you’re not logging into an app — you would just either already be logged in or you’d have to input your username and password, but the permissions thing should have been a flag for people.
Obviously, that was a flag, but that is a more complex type of phishing scheme than the normal one you see. The normal one you see is often trying to get people to think that this is their IT manager and they need to give their password over to unlock the account. This was far from perfect, but it was still a level or two up from other phishing schemes, which, frankly, was why it was so successful.
What precautions can users take against these types of phishing attempts?
BC: First, really look for those signs that something is from a trusted user and if there’s something that looks funny, like the [repeated “h”‘s in the Google Doc email], that should automatically be a signal and you should double check with your IT people before clicking on any link. A lot of people, when they see something funny, they don’t automatically assume that it’s a problem and they go ahead and click on it anyways and the opposite should be true. If you’re not sure, you shouldn’t click. You should also make sure that you’re expecting to receive something, trusting your instincts and waiting until you can check are two really important things.
Second, people should really use two-factor authentication as much as possible and that serves at least two purposes: First, it makes it harder for someone to get into your legitimate accounts. If you have your email password and then you have to input something on your phone, the person needs access to your phone in order to be able to get to it in most cases, so that makes the standard a lot harder.
But the other thing that two-factor authentication does is, it should trigger your comfort levels if it’s not requesting two-factor when you’re using those fake systems. So in the case here, it was asking for permissions, it wasn’t asking for your password and then your mobile device. It should trigger to you that it’s different than the normal way you log into that system and should really get you interested in moving forward.