As a G Suite domain administrator, have you ever thought how often password cracking attempts are made on your account at Google? Are you even aware if an unauthorized attempt to access your account has taken place?
The Google admin console is a very useful feature of G Suite that can be put to good use by IT administrators in businesses, schools, and other organizations. From the admin console it is possible to manage several administrative tasks, however the power it gives also means that it can be very dangerous if it falls into the wrong hands.
Have you ever thought what happens with users and data if a cyber-criminal can somehow access your G Suite admin account?
The Problem: Unauthorized Access to G Suite Admin Account
Recently, one of our clients came very close to being a victim of cyber-criminals, after they attempted to access his G Suite administration account in an unsophisticated but nevertheless dangerous way.
If successful, this attack could have caused untold damage to the company including data loss or data breaches that may have involved confidential client or personal employee data.
In the case, hackers managed to identify the Super Admin account of the domain. They organized 19 attempts to crack the Google account password. Password cracking is a method of recovering passwords that are stored in encrypted format. While there is no way to decrypt the password, software or humans can attempt to guess the password and compare the encrypted version of the guesses against the stored value.
Software password crackers usually work via a “brute force” method that will systematically check every possible password combination until a match is found. This can take some time but given long enough, the password will eventually be found. Short passwords and those made up from common word and number combinations can be found very quickly using this method.
If a human is attempting to guess the password, they may first research the user by finding out information via personal websites and social media accounts. This method can also be very successful, as many people use passwords based on easy-to-obtain data such as their birth date or spouse’s name.
Once the password is cracked, a hacker needs simply to log in with the admin username and password, and the entire Google admin console will be at his / her disposal.
Luckily, in this case, the potential victim was already using the Spinbackup cybersecurity service. This service detects suspicious activity such as an abnormal number of incorrect logins, and an alert is sent to the user, warning that an attack may be underway.
You can see in the image that a high number of attempted logins to G Suite were made. A failed login in itself is not suspicious, as this can easily occur when the user mistypes or forgets his / her password. This is why the action is assigned a “low” risk level. Each action can be selected to view a pop-up with more detailed information, as in the screenshot below:
However it is the number of failed logins within a short space of time that triggers the suspicious activity warning. These warnings may be sent to any email address, and / or to Slack, depending on the settings chosen in Spinbackup.
The Solution: Immediate Detection and Protection Response
The first part of defence against this kind of hacking attack is to detect the attempt in the first place. We have already seen how Spinbackup can detect suspicious login activity that may be indicative of an impending attack. The next step is to secure your account from further attacks (as well as password cracking, it is possible that other methods of hacking into an account may be attempted once an account has been targeted for attack).
- Immediately change the password
- Assign super administrator role to another user
- Turn on 2-Step Verification
- Use the hacker’s IP (identified by Spinbackup), to determine the Internet provider of this individual and send a complaint of the malicious activity
- Add the hacker’s IP to the blacklist.
Spinbackup is currently working on implementing a new security feature that will automatically block the IP after a suspicious number of login attempts.
Defending G Suite From Malicious Attacks
This case is just one case that illustrates the issue of unauthorized access to the G Suite admin account and how this may potentially lead to immense losses for the company.
If a regular G Suite user account is hacked, only this individual user’s G Suite data might be deleted and / or stolen. If the Super Admin account is hacked, all domain users’ accounts and their data could be deleted, i.e. cyber-criminals could gain access to ALL corporate information. In addition to the possibility of all corporate data being stolen, there is also a significant chance that it could be lost forever if there is no automatic backup system in place.
Google does send automatic alerts about suspicious login attempts, however this is not always useful as the alerts are sent only to the account that is under attack. If this attack takes place at night while nobody is checking the mailbox, there is a strong possibility that hackers could gain access to the account before these alerts are seen and delete all notification emails.
The solution to this issue is to use the Security Alerts feature in Spinbackup, set to all risk levels for several emails and slack.
The corresponding warning message from Spinbackup looks like this:
If you ever receive a warning message in this format from Spinbackup, you should respond immediately by taking the steps listed above to secure your account.
According to IBM, there are 1.5 millions cyber attacks each year, which is about 4,000 attacks per day. Juniper Research predicts they will cost businesses $2.1 trillion in 2019. Increasing users’ awareness of most popular and dangerous cyber attack cases can help to fight the problem.
If you have faced any similar issues involving attacks on your G Suite account, please share your case with Spinbackup and the community. Describing the situation, the actions you undertook, and the ultimate result of the hackers’ attempt, can help other users to protect themselves from similar attacks in the future and give Spinbackup more information about attacks that can help improve threat detection and response in future.
2,121 total views, 15 views today