The Internet blew up with the latest news about Gmail phishing attack. You have probably read tons of material about this issue and how sophisticatedly it was organized. However, all of this news has likely left you frustrated and without a satisfactory answer to these three questions:
- What was the goal?
- What can we expect?
- What should we do next?
Our security experts give the answers.
Table of Contents
What Was the Goal of Gmail Phishing Attack?
The most intriguing part of the Google Docs phishing attack is that a victim received the email with a phishing link from a person who was familiar to him /her. This increased the hacker’s trustworthiness and their chances of harming a victim. When a person opened the link and granted permissions for his /her account to this malicious application, similar phishing messages were then sent to all his /her contacts. In this way the attack snowballed. However, for the very first emails, the hackers must had the early victim’s contact data. Probably, the attack began even earlier than we think, when hackers started collecting them through some low risk applications or infected computers, or bought them at the darknet.
If we theorize the problem, below you can see the phases of the Intrusion Kill Chain.
Source: U.S. Senate-Committee on Commerce, Science, and Transportation-A “Kill Chain” Analysis of the 2013 Target Data Breach-March 26, 2014
In practice, the stages were realized in the following way:
- Reconnaissance and Weaponization – took place BEFORE May, 3 not noticed by anybody.
- Delivery – the very process of sending phishing emails.
- Exploitation – system’s vulnerabilities included Google Marketplace’s insufficient application quality control and users’ carelessness towards the application that seemed familiar and a sender whom they actually knew.
- Installation – occurred when a compromised user granted access to the malicious application and it connected to his / her account.
- Command & Control – victim’s data are automatically downloaded by the malicious application to a 3rd-party storage location.
- Actions on Objective – by now, we have no data about information destruction, but it can be easily sold at the darknet.
Though it is logical that the ultimate goal of the attack is to steal personal or corporate sensitive data and /or get access to victims’ authorization information, we suspect that this very attack was only a small part of a bigger, even more massive future storming. Presumably, the hackers’ goal was to collect a tremendous number of active Google users data to target them with a new, more dangerous attack, i.e. a new Delivery stage.
What Can Be Expected Now?
The attack was apparently well planned and sophisticatedly organized. It failed mostly because it was too massive in a moment of time. At its peak, the attack was generating about 155 messages per minute. This mass character made Google users and Google pay special attention to it and take appropriate action. In future, if the campaign repeats, it can take more moderate steps. This means that malicious app will have more time to collect huge volumes of sensitive data that can be used for monetization.
Both private and corporate accounts can be infected in this way and as soon as one enterprise account is hacked, all employees may receive the phishing link if the contacts are stored in the Contact list. Imagine that in this way malicious application receives full access to an enterprise’s corporate data.
Machine Learning Detection and Social Response
Google announces that it continues “protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages”. What does this machine learning based detection really mean and did it work properly in Gmail phishing 2017?
First compromised users received phishing mails within their Inboxes. These people would more than likely click on the link. Later victims got the emails in a Spam folder, and the last ones got the mail flagged as potentially dangerous.
Our experts shaped it in the following hypothetical course of actions:
Early victims receive phishing mails in Inbox folders.
Some of them click the link and realize this is spam.
The most savvy of them click the down arrow near the false Google Docs name and see the non-Google developer information or recall that true Google Docs does not require permissions.
People send spam / phishing reports to Google and begin huge buzz in social media.
Google machine learning algorithm analyzes the reports and as their number increases rapidly marks the messages as Spam.
Messages fall into Spam folder but continue to spread.
Google pays attention to abnormal number of reports and warnings spread over the social media and detects the message is phishing and adds special warning label.
Google deletes false Google Docs from the Marketplace and it loses access to all compromised accounts.
Here is how it worked. The attack moved through all stages of cyber attack intrusion but thanks to the users massive response that attracted Google’s attention, in about an hour the application was neutralized and the Command & Control stage stopped working.
What Should You Do?
For those who were compromised in the Gmail phishing 2017 and those who may be compromised in future, remember these obligatory security precautions:
Step 1. We believe that the first step is obvious for you: if you were unfortunate to become a victim of a Google phishing attack of May, 2017 or any future attack that may occur, change your Google password immediately.
Step 2. Switch on the two-step verification for all your employees.
Step 4. You can never be assured that as a result of a phishing attack, only one malicious application was connected to your account. Moreover, sometimes Google does not respond as fast as it did this time and does not delete a malicious app from Google G Suite Marketplace immediately. Until the hacker’s applications appear on the Marketplace (and here was the vivid example of the Marketplace low entry control level), you will never know whether noone of your employees has given them access to your sensitive corporate data.
To protect from future disasters, check applications that have access to your corporate data. For SMB, educational and enterprise G Suite admins we recommend to see not just a list of applications (when there are dozens of them, you may not understand which of them is malicious and which one is trusted) but instead look at the application security score provided by Spinbackup smart algorithms built in Third Party Apps Audit feature, that uses multiple factors to assign a weighted security factor score to every application.
Step 5. Check all suspicious applications holding a low security level. Inspect what kind of application it is, read what kind of access it has, and decide if access should be removed from the risky application by adding it to the blacklist.
Third-party apps provide Google users with a wide range of the advantages but inevitably new security vulnerabilities come alongside the benefits. Spinbackup is somewhat similar to Google Vault, but with much more advanced functions. Don’t put your valuable information at risk, protect your enterprise data it before the disaster occurs.