As a Google Workspace (formerly G Suite) domain administrator, have you considered how frequently your account may be targeted for password-cracking attempts? Are you even aware if an unauthorized attempt to access your account has taken place?

The Google admin console is akin to a powerful control center within Google Workspace, providing administrators with a valuable toolset. Yet, its formidable capabilities can become a potent risk if entrusted to the wrong hands. Just as a skilled conductor directs an orchestra, responsible administration ensures harmony in an organization’s system, but any misstep in the administrator’s account could lead to a discordant outcome.

If a regular Google Workspace user account is hacked, it may result in unauthorized access to this user’s data, and emails, and potentially lead to a data breach or identity theft. On the other hand, when an administrator’s account is hijacked, it grants the attacker elevated privileges, enabling them to manipulate critical settings, access sensitive business data, and potentially compromise the entire system. The consequences of administrator account hijacking extend beyond individual privacy, impacting the overall security and functionality of the organization’s Google Workspace environment.

Have you ever thought about what happens with users and data if a cyber-criminal can somehow access your G Suite admin account? Let’s see the common methods used in Google Workforce admin account hijacking and learn how to solve this issue.

Understanding the Problem: common methods used in admin account hijacking

Account hijacking, by definition, refers to the unauthorized access and takeover of an individual’s online account(s). This form of identity theft involves cybercriminals assuming one’s identity to gain entry into an online account. Typically criminals hijack financial accounts to gain immediate reward, although more sophisticated hijacking attempts target administrative accounts like Google Workspace Console. The surge in the number of online accounts paralleled an increase in their attractiveness to cyber criminals.

The aboEgress’ Email Security Risk Report 2024 found that more than half (58%) of organizations surveyed suffered account takeovers in 2023, of which 79% came from credentials harvested through phishing.

Phishing and Social Engineering

Phishing is a type of social engineering attack in which the attacker deceives a user into revealing their login credentials or other sensitive information. This might involve sending a fake email or website that looks legitimate but is a covert attempt to steal the victim’s information. The common examples of a phishing attack look like “Your bank account has been locked! Please login to resolve this issue!” The aim is to instill a sense of urgency into the user and trick them into giving sensitive information.

Malware: Malware is a type of software designed to cause damage to a computer or steal information. Some types of malware are specifically designed to target login credentials and can be used to gain unwanted access to a personal account. Formbook is an example of such malware which harvests credentials from various web browsers, makes screenshots, monitors and logs keystrokes, and can even upload and execute files according to orders from its C&C. For instance, a hacker might try to hijack your cloud account (like Google Workspace) by installing malware on your laptop, tablet, or phone that captures your login information automatically. This then allows them to retrieve your files and other documents.

Password cracking: Password cracking involves the use of specialized software by an attacker to attempt to guess the victim’s password. This can include trying a list of commonly used passwords or employing dictionary and/or brute force attacks, as explained further below. After successfully cracking the password, the hacker only has to log in using the admin username and password, granting them complete control over the Google admin console.

The most frequently exploited types of password cracking are dictionary attacks and brute force attacks.

The dictionary attack involves trying a pre-arranged list of words, such as a dictionary, as passwords. These lists are often created by compiling common passwords or by combining a list of words found in a dictionary. The attacker tries each word in the list to guess the password.

Software password crackers usually work via a “brute force” method that will systematically check every possible password combination until a match is found. Usually, an automated program works its way through these endless character combinations, starting with the most common. This can take some time but given long enough, the password will eventually be found. Short passwords and those made up of common word and number combinations can be found very quickly using this method.

A recent but impactful password-cracking attack involved Norton Lifelock Password Manager. Despite being a big name in the cyber security space, Norton was hit by a brute force that saw threat actors using stolen credentials to log into customer accounts and access their data. Over 925,000 people were targeted.

Credential stuffing.

Okta’s 2023 State of Secure Identity Report reveals that credential stuffing attacks boomed in 2023; On the ‘busiest’ day for credential stuffing attempts, the identity and access management firm identified more than 27 million such events on its platform. On January 1, more than 46% of login attempts were attributed to credential stuffing.

Physical access

In some cases, the attacker might simply try to gain physical access to your computer or device to steal their login credentials or install malware. Do you have a document on your desktop conveniently labeled PASSWORDS that does in fact contain all your passwords? It’s like Christmas for hackers if you serve up gifts like that.

Best Practices for Google Workspace Admin Security

To enhance the security of your organization’s Google Workforce admin accounts and minimize the possibility of threat occurrence follow these Google security best practices for administrator accounts:

Use two-step verification (2SV). If someone manages to get the admin password, 2SV helps protect the account from unauthorized access. It is of paramount importance for super admins as their accounts control access to all business and employee data in the organization. It is also necessary to use security keys – small hardware devices that are used for second-factor authentication. They help to resist phishing threats and represent the most secure type of two-step verification.

Monitor activity on admin accounts. Monitor admin actions and identify potential security risks by configuring email alerts for specific events, like suspicious sign-ins, compromised mobile devices, or changes made by another admin. Enabling alerts ensures you receive an email notification each time the specified activity occurs. Utilize the Admin audit log to review a comprehensive history of all tasks executed in the Google Admin console, including details such as the admin responsible, the date, and the IP address used for the admin sign-in.

Don’t share administrator accounts among users. Assign a distinct and recognizable admin account to each administrator. If multiple individuals utilize the same administrator account, like admin@example.com, it becomes challenging to attribute specific activities to a particular administrator in the audit log.

Manage Super admin accounts properly. First, your organization should have more than one super administrator account, each managed by a separate individual. If one account is lost or compromised, another super admin can perform critical tasks while the other account is recovered. Second, never use a super admin account for daily activities. Ensure each super administrator has two accounts: one for their super admin duties (such as configuring 2SV, handling billing and user license, account recovery, etc) and a separate account for daily tasks like sending emails or performing routine admin tasks. Prevent super admins from staying signed in to a super admin account, as it can increase exposure to phishing attacks. Super admins should sign in as needed to do specific tasks and then sign out.

Recover Google Workspace admin account. Administrators must incorporate recovery options into their admin accounts. In the event of a forgotten password, Google facilitates the process by sending a new password through phone, text, or email. Admins are advised to register multiple security keys for their admin account, ensuring they are securely stored. This precaution becomes crucial if the primary security key is misplaced or stolen, as it ensures Google admin account recovery and allows admins to retain access to their accounts. Additionally, in cases where an admin loses both their security key and phone (used for 2SV verification or Google prompt), a backup code serves as an alternative method for signing in.

The role of automatic backup systems in data protection

Tools and technologies, such as 2SV, audit logs, and security alerts Google offers to enhance admin accounts security is effective, yet there are security areas where they fall short. For instance, Google does send automatic alerts about suspicious login attempts, however, this is not always useful as the alerts are sent only to the account that is under attack. If the attack occurs at a time when no one is monitoring the email, hackers could potentially gain access to the account and erase any notification emails before they are noticed. Automated backup systems like Spinbackup can effectively address this issue.

Let’s see the real case study of how automated systems in data protection can help protect from Google Workspace admin account hijacking. One of Spin.ai clients almost fell victim to cybercriminals when they tried to gain unauthorized access to their Google Workspace admin account. The attack was unsophisticated but still, if successful, could caused untold damage to the company including data loss or data breaches that may have involved confidential client or personal employee data.

In this case, hackers managed to identify the Google Workspace admin account of the domain. They organized 19 attempts to crack the Google account password. Luckily, in this case, the potential victim was already using the SpinOne cybersecurity service and detected suspicious activity immediately.

The image below demonstrates a high number of attempted logins to Google Workspace were made. A failed login in itself is not suspicious, as this can easily occur when the user mistypes or forgets his / her password. This is why the action is assigned a “low” risk level. Each action can be selected to view a pop-up with more detailed information.

However, it is the number of failed logins within a short space of time that triggers the suspicious activity warning. These warnings may be sent to any email address, and/or Slack Data Backup and Recovery tool, depending on the settings chosen in Spinbackup.

SpinOne Immediate Detection and Protection Response

The first part of the defense against an admin account hijacking attack is to detect the attempt in the first place. SpinOne can detect suspicious login activity immediately. Once this warning message is received by the Google Workspace administrator, the recommended course of action is as follows:

Immediately change the password
Assign the super administrator role to another user
Turn on Two-Step Verification
Use the hacker’s IP (identified by SpinOne), to determine the Internet provider of this individual and send a complaint of the malicious activity
Block the IP after a suspicious number of login attempts
Add the hacker’s IP to the blacklist.

Enhancing Security with SpinOne’s Security Alerts

SpinOne offers a Security Alerts feature, set to all risk levels for emails and Slack. If any suspicious activity, like excessive password attempts, is detected in your Google Workspace Admin account, you will receive an immediate alert to your email or Slack.

If you ever receive a warning message in this format from SpinOne, you should respond immediately by taking the steps listed above to secure your account.

SpinOne’s access management and risk assessment for Google Workspace admins

Unfortunately, many organizations face the issue when employees can easily install a malicious app or extension and then grant OAuth access to company-sensitive data, which may easily lead to Google Workspace admin account hijacking. SpinOne helps Google Workspace admins manage OAuth access to Apps and Extensions within the company domain by offering full visibility of all major risks for their company so that the administrators can protect sensitive data from insider attacks and advanced security threats.

Conclusion

In conclusion, the security of the Google Workspace admin account is paramount, considering the potential consequences of unauthorized access. The severity of hijacking attacks lies in the power it grants to the infiltrator, posing a significant threat not only to data integrity and confidentiality but also to the whole organization’s system. The implementation of proactive security measures, such as the use of SpinOne cybersecurity service, plays a crucial role in detecting and responding to threats. Swift actions, including password change, role reassignment, and IP blocking, highlight the importance of immediate detection and protection responses in safeguarding G Suite from malicious attacks.