A fake shared Google Doc is the latest phishing attack tactic. How did this exploit work, and what does it mean for business network security?

Do not click on suspicious links in emails, even if they were sent from a recognised email address. They could be phishing attempts from hackers looking to gain control over your online identity.

That’s the harsh lesson that greeted countless people who were targeted by a sophisticated phishing scam on May 3, 2017. While people like to think that phishing emails are clumsy, awkwardly worded and easy to spot, this particular attack was far more intricate.  This attack used precisely worded and formatted emails to gain access to use permissions on victims’ Google accounts.

Let’s take a closer look at how the attack went down and what it means for Australian business network security.

What was the attack?

On Wednesday morning, affected Gmail users were greeted by an email that looked as though it was from someone they knew, with the subject line, “X has shared a document on Google Docs with you”. Opening up the email brought victims to a message that looked nearly identical to an official message from Google Docs, including the familiar “Open in Docs” button. Here’s what happened when people clicked on the button:

Much like URL spoofing attacks, this exploit tries to convince users that the application they’re on is official – when it’s a cleverly disguised third-party platform designed to gain use permissions on their account. In this case, users who accepted use permissions from the illicit ‘Google Docs’ gave the fraudulent app full access to their contacts list and inbox. This paved the way for the phishing attack to spread, sending similar malicious emails to others in the victim’s contact list.

Fortunately, the real Google Docs team responded quickly to the widespread attack and took action to prevent similar attacks in the future.

Cyberattackers are quick to respond to a challenge, and even quicker to take advantage of security weaknesses. Other platforms outside of the Google suite, for instance, could find themselves the target of copycat attacks in the future. For that reason, it’s important to understand how this phishing attempt works and what further risks it could pose.

How does the attack work?

Many web services use a Google interface called OAuth (Open Authentication) to grant specific access permissions on your account to a third-party service provider without giving them your full login credentials. This generally leads to more convenience online without too much of a compromise on security.

However, convenience is the enemy of security. The risk with OAuth, as we saw with this phishing attack, is that malicious third parties can use the official OAuth interface to trick users into granting them access permissions by disguising themselves as the legitimate service provider.

This incident illustrates just how advanced phishing attacks have become, further highlighting the importance of strong cybersecurity protections and a healthy sense of suspicion online.

What’s the ongoing risk?

While the Google team has taken steps to address this cyberthreat, it is not the only platform that uses authentication protocols for more convenient login procedures. Most major service platforms use OAuth or similar interfaces. It’s just a matter of time before another malicious actor finds a similar exploit for these systems.

After news of this attack spread, many snapped into high-alert mode when checking their emails. This is a good response to cyberthreats, but a more effective approach is to always practice strong cybersecurity habits – including proactively being on the lookout for suspicious emails and notifications.

For businesses – which risk operational and reputational damage should they fall victim to cyberattacks -strong network security is a must. On-going education and training that help individuals to recognise and react appropriately to phishing attempts is key, but so is having an IT infrastructure that enables and enforces strong security.

Telarus has a long history of providing trusted network security solutions across Australia and New Zealand. To learn more about securing your organisation’s IT, contact us today.