CloudSOC CASB Gateway

 View Only

Massive Google Phishing Attack Seen and Remediated by CloudSOC 

May 05, 2017 08:26 PM

There was a very large, sophisticated phishing attack on May 3 using a malicious application called Google Docs. This attack and others like it can be identified, tracked and remediated in CloudSOC. 

How users experienced the attack

Users received a phishing email with an invitation to view a Google document from one of their contacts. Users who clicked on it were redirected to install a malicious third party app called Google Docs. During this installation the user is asked to select a Google account and asked to grant permissions to “read, send, delete, manage email” and “manage your contacts” by the malicious app. Once the user clicked to authorize these permissions, the app could access the data on mail.google.com and googleapis.com/auth/contacts. Then the user is redirected to a fake landing page that can be used for additional phishing messages. 

CloudSOC identifies the attack and revokes access

Organizations using CloudSOC will see this malicious application in their Google Securlet dashboard along with details on the users who authorized the app to access their accounts and a button to automatically revoke the authorization to that malicious app for all users.  

Google attack with highlight image001.png

CloudSOC Securlet dashboard identifies fake Google Docs app

Google attack with highlight image002.png

CloudSOC identifies users who have authorized access to fake Google Docs app and offers to revoke this access

Oauth attacks not new but growing more common

In today’s world of cloud apps, it is a convenience for users to grant permissions to third party apps to access accounts (such as email, social media, file sharing, etc.) using OAuth rather than requiring a password. Google has mitigated this attack but others like this are growing in popularity. Bad actors are taking advantage of how common it has become for users to grant access to third party apps, so common that many users don’t worry about granting these permissions if the request looks normal. In this case, the app was named Google Docs and looked legitimate to many users. These types of attacks don’t use malware but CloudSOC will provide visibility and controls to remediate this type of attack. 

 

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Jul 06, 2017 08:19 AM

What’s even scarier than that, the page has a very real-looking Google.com URL and clicking on a link to Google Docs appears to confirm the page’s authenticity. It gets worse. That page invites to choose which account you’d like to use to view the Google Doc, and then you’re taken to a page that invites you to grant access to your Google Account. It’s still unclear who’s behind this attack, and we might never know. but i will definitely make sure that i don’t click on any Google Doc links for the rest of the week.

Jun 05, 2017 01:37 PM

Muchas gracias por el articulo eso pasa por usar GOOGLE en lugar de Microsoft hahaha bromas, realmente es preocupante este tipo de falla de seguridad sin embargo es bueno contar con productos que hagan cada vez mas segura la informacion.

Jun 05, 2017 11:04 AM

Truly interesting and scary. Fishing is always main entrance point for intruder to enter yr system. Dont know why users are still unware of this and click something they dont know or trust. Hackers are smart to find new ways to lure users. Pls be alert and save yrselves.

Jun 05, 2017 03:52 AM

This is a really interesting and cunning attack, nice to see that Symantic picked this up i'm sure that alot of users got caught by this one. I'd like to hope that this exploite has been closed and google have thought about better protection for their users.

May 29, 2017 04:39 PM

There is so much of this type of exploit hitting our machines these days.  The only safe response is to ignore any incoming emails from unknown sources, or read emails using webmail in text mode only.  If in doubt, a virtual machine can be used, and then immediately reset to the previous snapshot to destroy any payload.

May 29, 2017 11:28 AM

Intersante que el cloud Soc pudiera detener el ataque pero el detalle es la necesidad de capacitacion que los usuarios.   Esto es un tema de nunca acabar siempre se van a encontrar varias formas en embaucar a los usuarios. Tambien vemos la importancia del SOC

Aqui un link interesante:

 

pic.twitter.com/l6c1ljSFIX

Saludos

May 25, 2017 01:53 PM

Wow, this is beyond new to me!  I was not aware that third-party apps could do so much with the authentication they're given through Oauth.  I'm definitely sharing this with family members and friends to keep them on their toes!

​  ~Thanks Symantec!

 

 

May 22, 2017 05:52 AM

Both scary and great to see this, well done Symantec with cloudsoc, front page news! Even google isn't infalilible.

May 19, 2017 10:10 AM

good article read.

Good to see that informaiton like this is being pushed out to users to become more aware of all these attempts to get to your data.

Glad to see the CloudSOC is getting the job done.

 

Thanks

May 18, 2017 12:35 PM

Siempre que exista una interfaz de usuario amigable y sencilla es mucho mas practico para los administradores de red adminsitrar los servicios. Sobre el producto es de esos donde Symantec siempre esta a la vanguardia en tecnologia y aplicacion para obtener ese nivel de calidad que la marca Symantec representa.

 

May 18, 2017 10:35 AM

Thanks for this documentation about the Google Docs attack.  This is another example how is easy to create confusion at the user side. Just send a generic email and ask to click a link. We have to push more information to end users and try to educate to stary safe in all actions done using the normal office applications, think before click !

May 17, 2017 01:50 AM

Shocking. These types of attacks are the roots of financial and IP data loss. Users though many times made aware clicks unwanted emails and marketing campaign of high end goods selling at cheap price....in the background malware do its work and finally user keeps crying. Either ransomeware like viruses or some other data hacks make their life miserable. Whom to blame ?......I beleive its all goes to USER who is using the system. Get the IT Literacy UP UP UP !!!

May 16, 2017 01:16 PM

Phishing attacks obviously rely on a majority of the receiver to click on the link or malicious file then follow directions innocently to infect themselves.  This is and will continue to be a scary thing as most people are trusting especially if just by performing a quick glance, the e-mail seems to come from a trustworthy source.  The other scary part is that you have cloud storage providers such as Google and Microsoft who do not perform normal checks and balances to ensure the files being stored on their managed environment are safe; this is typically a service they charge for, for big business.  This is where companies like Symantec come in so they can fill that void and help protect the end users properly.

May 16, 2017 01:23 AM

Using google docs to phish users is very scary as people will easily fell prey to that and giving access to email and contacts.. :(

CloudSOC is acting as saviour in this situation. Well Done CloudSOC. Email Security is very very important these days, be it, work email or personal email. Thank God Symantec is there :)

May 15, 2017 05:05 PM

This is one of the many reasons why i am so hesitant when it comes to emails. So many phishing campaigns going on all the time trying to harvest contacts, credentials, PII, etc... Fear the internet is the best way to traverse the internet. So many basic users getting taken advantage of every day. This is at least creating job security for me. (glass half full)

May 12, 2017 03:12 PM

It's surprising (from a security professional perspective) to see how many people still fall for these attempts/attacks.  At the same time, it's nice to see that security vendors are taking these, sometimes one-off, attacks seriously and providing methods to mitigate.  Having these capabilities should put customers' minds at east.  Thanks Symantec!

May 12, 2017 08:58 AM

Quite an oversight from Google to allow a name of anything as the app, or not showing the author, it's interesting to see another one similar to the image embedded that look like a download.

May 11, 2017 11:50 AM

Good way to market Symantec CloudSOC as well as expose an attack :)

The attack was a nice one too, using the exact same name as a legitimate app and also possibly using similar file fingerprints to get away from IPS/IDS and antivirus scanners.

The pain point I see here is that although it spreads through company networks, it can affect most personal accounts since majority of users in my region are using Gmail for personal use and only a handful of companies are using Google for Work. What's even worse, an IT support team will be forced to deal with personal losses.

May 10, 2017 09:30 AM

It didn't take Symantec long to add the zero day in to their definition database. Unfortunately since it was a new threat, nobody had protection in place. That particular email went to 40 of our users. Out of the 40, 2 people opened and clicked the link. Good thing our incident response was able to block and remediate the threat. Looks like we still need people as a line of defense as a layer.

May 10, 2017 07:52 AM

It's good to see a proactive response. Thankfully it seems that Google have been pretty quick on blocking the vulnerability as well. Login systems like the one used will always be a target as it plays on a familiar method that users trust. Convenience, in this context, comes at a cost.

May 10, 2017 05:11 AM

We are all very lucky that most malware authors / phishers generally have little imagination.  This one however is different - it is simple programmatically, but uses well thought through deception techniques right out of the book of a street magician.  I'm pleased that this was spotted and mitigated quickly, but the arms-race will only get more and more heated as the protagonists involved get more ingenious with the social manipulation.

May 10, 2017 03:16 AM

Thanks for the article. Very concerning especially as the app was named Google Docs and looked legitimate to many users. Unfortunately I bet lots of users fell for this!

May 09, 2017 10:26 PM

Another evidence to prove Symantec is great security company to protect the customers in multiple resources, absolutely the attck method is not new, however, use high reputation company product to phishi will be easily trusted by the end users. I think more and more attacks might follow the same attacks with other apps.    

May 09, 2017 08:05 PM

We pushed a communicaton right away and haven't seen anything. Also blocking at the web proxies and updated AV sigs. Hopefully companies aren't allowing Google Docs if it's not approved.

May 09, 2017 04:52 PM

It makes you think that no matter how small or big the companies are, it STILL affected them! Thankfully Google were on the ball and stopped it before it spread too far.

The extra info is useful not for this attacks, but for other source as well and it's always good to double check what has access to your account.

May 09, 2017 04:35 PM

Sorry I have to disagree w/ those who called this an excellent article.  I feel like there should have been more depth brought by Symantec, its what I expect from them on things like this.  Feels like it is just something to stay hot w/ the current news cycle.

I'm surprised there hasn't been more OAUTH attacks out there.  Maybe there are and this one just got big because journalists fell victim to it and started spreading it?  Not quite sure

May 09, 2017 04:28 PM

Very cool to see this in action. We had this attack hit out company and we watched it roll through. Luckily, we were not affected but still a pain to deal with all of the calls that came in as a result of it. This would've been a simple remediation with CloudSOC.

May 09, 2017 09:31 AM

Thanks for making everyone aware of this! It great to see how these attacks are found and responded to. Keep up the great work.

May 09, 2017 09:29 AM

Thanks @Symantec!  Great article!

I knew it would be a short amount of time before 'hacks' like this would happen; it's almost too easy.  I really look forward to seeing what kind of safe measures are put into effect in the future to help prevent hacks like this.  

May 09, 2017 06:56 AM

Thank you Deena for this interesting article and explaining the situation.

Any hack is serious concern.

The hack doesn't only appear to be affecting Gmail accounts but a range of corporate and business ones that use Google's email service too.

If you think you may have clicked on it, you should head to Google's My Account page. Head to the permissions option and remove the "Google Doc" app, which appears the same as any other.

Regards,

 

May 09, 2017 06:14 AM

Good Message. Several people online across a range of industries said they received emails containing what looked like a link to a Google Doc that appeared to come from someone they know. These, however, were malicious emails designed to hijack our accounts. Dont know where when and how we can keep track on this.

May 09, 2017 06:01 AM

Good Source of News. Google confirmed on Reddit it has blocked the phishing attack by disabling the fake app’s ID, but it’s not clear if the company has implemented any long term solutions against this kind of scam. So just be alert should a similar attack resurface, and as always, don’t open links you weren’t expecting to receive without being absolutely sure they are legit

May 09, 2017 05:55 AM

Its shocking and unbeleivable. It's not clear who is running the quickly spreading scam or why. But it gives people access to people's most personal details and information, and so the damage may be massive. One stop action...Dont Trust / Dont Beleive / Dont click unwanted and unexppected attachments.

May 09, 2017 05:50 AM

Thanks Deena, an interesting article. I've seen this email and it's pretty convincing, not suprised a large number of people followed the link. Worrying to read that the app could access the data on mail.google.com and googleapis.com/auth/contacts.

May 09, 2017 05:46 AM

Good to see Symantec addressing this, it made the BBC webpages front page! Good advice, thanks Symantec.

Related Entries and Links

No Related Resource entered.