On May 3, 2017, a massive phishing attack targeted Google Docs, and anyone with a Gmail account was a potential victim. Luckily, Google was able to quickly shut down the attack with only 0.1% of Gmail users being affected. However, this sophisticated phishing attack shows the savviness of hackers and their ability to trick even the world’s most technically advanced companies.
This was no ordinary phishing attack. Normally, a phishing attack sends users to a fake website to deceive them into typing their password or other compromising data, giving the hacker access to any sensitive information. The phishing emails were designed to look as though they were a Google Doc sharing invite. When the user clicked, they were taken to a fake Google page that asked them for permissions to access the Doc. If users granted permission (see example image to the right) for the app, the hackers had the opportunity to gain access to the user’s account.
The hackers were successful in their attack by using the OAuth protocol, which is a way for users to authorize websites, like Google, Facebook and Twitter, to access their information. OAuth does not share password information; instead, it uses special access tokens. In this case, the hackers built their own Google Docs app to gain access to the account. By granting the fake app permission, the users unknowingly gave the hackers access, all without requiring a password.
What Can You Do
While only 0.1% of Google’s 1 billion users were affected before Google shut down the attack, it is important to know what to look for to prevent your users from falling victim to a phishing scam.
- Avoid suspicious-looking emails; many phishing attacks come in email attachments or links.
- If you are unsure about an email, look at who it is “From” before opening it. Better yet, examine the email headers to verify the sender and domain.
- Never open an email attachment from someone you don’t know.
- Check the permissions your third-party apps have on your browser.
If you think your users have fallen for the Google phishing scam, you can revoke the app’s access to their accounts. Google has already taken steps to ensure everyone affected is no longer vulnerable to hackers.