There was a very large, sophisticated phishing attack on May 3 using a malicious application called Google Docs. This attack and others like it can be identified, tracked and remediated in CloudSOC.
Users received a phishing email with an invitation to view a Google document from one of their contacts. Users who clicked on it were redirected to install a malicious third party app called Google Docs. During this installation the user is asked to select a Google account and asked to grant permissions to “read, send, delete, manage email” and “manage your contacts” by the malicious app. Once the user clicked to authorize these permissions, the app could access the data on mail.google.com and googleapis.com/auth/contacts. Then the user is redirected to a fake landing page that can be used for additional phishing messages.
Organizations using CloudSOC will see this malicious application in their Google Securlet dashboard along with details on the users who authorized the app to access their accounts and a button to automatically revoke the authorization to that malicious app for all users.
CloudSOC Securlet dashboard identifies fake Google Docs app
CloudSOC identifies users who have authorized access to fake Google Docs app and offers to revoke this access
In today’s world of cloud apps, it is a convenience for users to grant permissions to third party apps to access accounts (such as email, social media, file sharing, etc.) using OAuth rather than requiring a password. Google has mitigated this attack but others like this are growing in popularity. Bad actors are taking advantage of how common it has become for users to grant access to third party apps, so common that many users don’t worry about granting these permissions if the request looks normal. In this case, the app was named Google Docs and looked legitimate to many users. These types of attacks don’t use malware but CloudSOC will provide visibility and controls to remediate this type of attack.
What’s even scarier than that, the page has a very real-looking Google.com URL and clicking on a link to Google Docs appears to confirm the page’s authenticity. It gets worse. That page invites to choose which account you’d like to use to view the Google Doc, and then you’re taken to a page that invites you to grant access to your Google Account. It’s still unclear who’s behind this attack, and we might never know. but i will definitely make sure that i don’t click on any Google Doc links for the rest of the week.
Muchas gracias por el articulo eso pasa por usar GOOGLE en lugar de Microsoft hahaha bromas, realmente es preocupante este tipo de falla de seguridad sin embargo es bueno contar con productos que hagan cada vez mas segura la informacion.
Truly interesting and scary. Fishing is always main entrance point for intruder to enter yr system. Dont know why users are still unware of this and click something they dont know or trust. Hackers are smart to find new ways to lure users. Pls be alert and save yrselves.
This is a really interesting and cunning attack, nice to see that Symantic picked this up i'm sure that alot of users got caught by this one. I'd like to hope that this exploite has been closed and google have thought about better protection for their users.
There is so much of this type of exploit hitting our machines these days. The only safe response is to ignore any incoming emails from unknown sources, or read emails using webmail in text mode only. If in doubt, a virtual machine can be used, and then immediately reset to the previous snapshot to destroy any payload.
Intersante que el cloud Soc pudiera detener el ataque pero el detalle es la necesidad de capacitacion que los usuarios. Esto es un tema de nunca acabar siempre se van a encontrar varias formas en embaucar a los usuarios. Tambien vemos la importancia del SOC
Aqui un link interesante:
pic.twitter.com/l6c1ljSFIX
Saludos
Wow, this is beyond new to me! I was not aware that third-party apps could do so much with the authentication they're given through Oauth. I'm definitely sharing this with family members and friends to keep them on their toes! ~Thanks Symantec!
Both scary and great to see this, well done Symantec with cloudsoc, front page news! Even google isn't infalilible.
good article read.
Good to see that informaiton like this is being pushed out to users to become more aware of all these attempts to get to your data.
Glad to see the CloudSOC is getting the job done.
Thanks
Siempre que exista una interfaz de usuario amigable y sencilla es mucho mas practico para los administradores de red adminsitrar los servicios. Sobre el producto es de esos donde Symantec siempre esta a la vanguardia en tecnologia y aplicacion para obtener ese nivel de calidad que la marca Symantec representa.
Thanks for this documentation about the Google Docs attack. This is another example how is easy to create confusion at the user side. Just send a generic email and ask to click a link. We have to push more information to end users and try to educate to stary safe in all actions done using the normal office applications, think before click !
Shocking. These types of attacks are the roots of financial and IP data loss. Users though many times made aware clicks unwanted emails and marketing campaign of high end goods selling at cheap price....in the background malware do its work and finally user keeps crying. Either ransomeware like viruses or some other data hacks make their life miserable. Whom to blame ?......I beleive its all goes to USER who is using the system. Get the IT Literacy UP UP UP !!!
Phishing attacks obviously rely on a majority of the receiver to click on the link or malicious file then follow directions innocently to infect themselves. This is and will continue to be a scary thing as most people are trusting especially if just by performing a quick glance, the e-mail seems to come from a trustworthy source. The other scary part is that you have cloud storage providers such as Google and Microsoft who do not perform normal checks and balances to ensure the files being stored on their managed environment are safe; this is typically a service they charge for, for big business. This is where companies like Symantec come in so they can fill that void and help protect the end users properly.
Using google docs to phish users is very scary as people will easily fell prey to that and giving access to email and contacts.. :(
CloudSOC is acting as saviour in this situation. Well Done CloudSOC. Email Security is very very important these days, be it, work email or personal email. Thank God Symantec is there :)
This is one of the many reasons why i am so hesitant when it comes to emails. So many phishing campaigns going on all the time trying to harvest contacts, credentials, PII, etc... Fear the internet is the best way to traverse the internet. So many basic users getting taken advantage of every day. This is at least creating job security for me. (glass half full)
It's surprising (from a security professional perspective) to see how many people still fall for these attempts/attacks. At the same time, it's nice to see that security vendors are taking these, sometimes one-off, attacks seriously and providing methods to mitigate. Having these capabilities should put customers' minds at east. Thanks Symantec!
Quite an oversight from Google to allow a name of anything as the app, or not showing the author, it's interesting to see another one similar to the image embedded that look like a download.
Good way to market Symantec CloudSOC as well as expose an attack :)
The attack was a nice one too, using the exact same name as a legitimate app and also possibly using similar file fingerprints to get away from IPS/IDS and antivirus scanners.
The pain point I see here is that although it spreads through company networks, it can affect most personal accounts since majority of users in my region are using Gmail for personal use and only a handful of companies are using Google for Work. What's even worse, an IT support team will be forced to deal with personal losses.
It's good to see a proactive response. Thankfully it seems that Google have been pretty quick on blocking the vulnerability as well. Login systems like the one used will always be a target as it plays on a familiar method that users trust. Convenience, in this context, comes at a cost.
We are all very lucky that most malware authors / phishers generally have little imagination. This one however is different - it is simple programmatically, but uses well thought through deception techniques right out of the book of a street magician. I'm pleased that this was spotted and mitigated quickly, but the arms-race will only get more and more heated as the protagonists involved get more ingenious with the social manipulation.
Thanks for the article. Very concerning especially as the app was named Google Docs and looked legitimate to many users. Unfortunately I bet lots of users fell for this!
Another evidence to prove Symantec is great security company to protect the customers in multiple resources, absolutely the attck method is not new, however, use high reputation company product to phishi will be easily trusted by the end users. I think more and more attacks might follow the same attacks with other apps.
It makes you think that no matter how small or big the companies are, it STILL affected them! Thankfully Google were on the ball and stopped it before it spread too far.
The extra info is useful not for this attacks, but for other source as well and it's always good to double check what has access to your account.
Sorry I have to disagree w/ those who called this an excellent article. I feel like there should have been more depth brought by Symantec, its what I expect from them on things like this. Feels like it is just something to stay hot w/ the current news cycle.
I'm surprised there hasn't been more OAUTH attacks out there. Maybe there are and this one just got big because journalists fell victim to it and started spreading it? Not quite sure
Very cool to see this in action. We had this attack hit out company and we watched it roll through. Luckily, we were not affected but still a pain to deal with all of the calls that came in as a result of it. This would've been a simple remediation with CloudSOC.
Thanks @Symantec! Great article!
I knew it would be a short amount of time before 'hacks' like this would happen; it's almost too easy. I really look forward to seeing what kind of safe measures are put into effect in the future to help prevent hacks like this.
Thank you Deena for this interesting article and explaining the situation.
Any hack is serious concern.
The hack doesn't only appear to be affecting Gmail accounts but a range of corporate and business ones that use Google's email service too.
If you think you may have clicked on it, you should head to Google's My Account page. Head to the permissions option and remove the "Google Doc" app, which appears the same as any other.
Regards,
Good Message. Several people online across a range of industries said they received emails containing what looked like a link to a Google Doc that appeared to come from someone they know. These, however, were malicious emails designed to hijack our accounts. Dont know where when and how we can keep track on this.
Good Source of News. Google confirmed on Reddit it has blocked the phishing attack by disabling the fake app’s ID, but it’s not clear if the company has implemented any long term solutions against this kind of scam. So just be alert should a similar attack resurface, and as always, don’t open links you weren’t expecting to receive without being absolutely sure they are legit
Its shocking and unbeleivable. It's not clear who is running the quickly spreading scam or why. But it gives people access to people's most personal details and information, and so the damage may be massive. One stop action...Dont Trust / Dont Beleive / Dont click unwanted and unexppected attachments.
Thanks Deena, an interesting article. I've seen this email and it's pretty convincing, not suprised a large number of people followed the link. Worrying to read that the app could access the data on mail.google.com and googleapis.com/auth/contacts.
Good to see Symantec addressing this, it made the BBC webpages front page! Good advice, thanks Symantec.