Google Docs Phishing Attacks

This phishing attack begins by spoofing known contacts' email addresses using a technique called "address spoofing" in an attempt to steal people’s personal information. 

First Published 4th May 2017

Google Docs Phishing Attacks

Gone phishing. 

4 min read  |  Reflare Research Team

Over the past 24 hours, a massive phishing attack targeting users of Google Docs has surfaced. In this briefing, we will take a look at the underlying mechanics, mitigation strategies and the state of phishing in general.

Attack Details

The attack begins with the victim receiving what appears to be an invitation to a shared document from a known contact. Such invitations are extremely common as they allow teams to work on the same document within Google Docs.

Upon clicking on the link in the email however, the victim is directed to a malicious application made to look like Google Docs instead of the real Google Docs. The application then asks for authorization to access the user’s Google Account. This should be a huge warning sign as there is no good reason for a Google service to ask for authorization to use a Google service. Such authorizations are usually used by third-party applications integrating with Google services such as CRMs, marketing tools or additional spam filters.

The authorization granted allows the malicious app to send emails on the victim’s behalf. Once it is granted, the app then sends the same “invitation” to all of the victim’s contacts to further spread itself.

Mitigation Strategies

On Google’s side, the malicious application can be blacklisted to prevent it from asking for further authorizations. However, the attackers can easily create a new app to repeat the same process.

Thus, the task of protection falls to users primarily.

Phishing attacks usually aim to abuse implicit trust. Users may normally confirm the URL of a site they visit with care, but since the email appears to have been sent by a friend or acquaintance, they may let down their guard. Unfortunately, the friend lending credence to this scheme was merely another victim of the same attack.

The only good mitigation strategy is to always confirm the URL and SSL certificate of websites. If a site claiming to be Google does not have a Google URL or certificate, it is almost certainly a scam. Furthermore, any site asking for authorization should be given the common sense treatment: Does it make sense to ask for this application to ask for those permissions to perform the task it claims to perform?

Examples of shady permissions are:

  • Services claiming to be Google (Yahoo / Microsoft / Facebook / etc) asking for authorization to use Google (Yahoo / Microsoft / Facebook / etc) APIs

  • A site claiming to use Facebook for logins only asking for permission to post or like on a user’s behalf or see a user’s post history

  • An Android application with simple functionality (e.g. a calculator) asking for access to the phone book, pictures, location or the right to make phone calls

  • An application claiming to perform an action on one service (e.g. Facebook) asking for permissions on a different service (e.g. Google)

The State of Phishing

Phishing attacks have become significantly more sophisticated during the past 5 years. This is mostly due to the fact that basic attacks sent to random victims are at this point easily identified and filtered out by email providers. Many phishing attacks thus either attempt to abuse a service’s built-in functionality to send credible emails or abuse a victim’s friends and acquaintances to gain credibility.

For the time being, never assume that a message is credible, just because a message appears to come from a friend. Your friend may simply be the attack’s previous victim. If you receive a suspected phishing message on an organizational account, let your IT team know so they can take appropriate action.

If you are in the IT team, make sure your organization’s employees are aware of the risk of phishing and offer to review suspicious emails for them. Depending on your organization's size, awareness training may be required. In acute cases, blocking access to the malicious application from the organization’s network can provide relief.

Subscribe by email