Last week Google docs experienced a nasty phishing scam that impersonated real accounts. Despite containing the attack which has had affected a good number of Google mail users, security experts Sophos feel it was an abuse of Google’s APIs since the emails appeared to come from Google.
Attacks on open developer systems using OAuth have been vulnerable to similar attacks for a long time, and the onus is on Google to do a better job vetting application developers. This is no different than the abuse of the Google Play store by malware authors.
“There is very little individuals can do other than be forever suspicious about legitimate requests from services provided by Google, Twitter, Facebook and other online services that use OAuth with an un-vetted application developer program. Twitter’s users were attacked using these techniques a few years back. Unfortunately, Google has also fallen victim to a similar attack vector”, says Chester Wisniewski, Principal Research Scientist at Sophos.
When users see official emails from Google and official login pages used in scams, this leads the goodwill Google has garnered from its users to be potentially damaged. All providers of OAuth have a responsibility to police the use of their platforms to stop users from being tricked through official requests from services like Google, Twitter and Facebook.
Sophos suggests that users keep an eye on social media. As the Google Doc “phishing” attempt demonstrates, Twitter is a great early-warning system. According to Wisniewski, users should check the apps that access their accounts and remove anything that may be suspicious on all OAuth-based platforms. For Google it is under your Google account -> Sign-in & Security -> Connected apps & sites. On Twitter and Facebook, it is Settings & Privacy -> Apps.
Here’s how this type of attacks worked:
- Users get a real email from Google saying someone wants to share a file with them.
- They are directed to a real Google login page and sign in.
- They are then prompted that an “add on” wants access to their mail and contacts. The developer name is listed as “Google Docs,” but it could say anything (this is where Google could do more to prevent this).
- The only way to attempt to check if it is real is to click on “Google Docs” and see the actual account creating the request, but it could say many believable things and there is no specific thing to watch for.
The only reliable way to not fall victim is to never accept apps connecting to your account and requesting access to read/write your mail and contacts, or just about any other thing they might request access to unless you are specifically trying to hook into some new service, which you still may not be able to trust. When attacks like this happen, it’s a good reminder to go back to your social media accounts and review what applications you’ve given permission to access your information and revoke permission if you no longer trust or use that particular app.