Sneaky Gmail phishing attack fools with fake Google Docs app

Russian hackers resorted to a similar method to abuse the OAuth protocol to phish user accounts

Google Docs was pulled into a sneaky email phishing attack on Tuesday that was designed to trick users into giving up access to their Gmail accounts.

The phishing emails, which circulated for about three hours before Google stopped them, invited the recipient to open what appeared to be a Google Doc. The teaser was a blue box that said, “Open in Docs.”

In reality, the link led to a dummy app that asked users for permission to access their Gmail account.

screen shot 2017 05 03 at 2.38.57 pm Reddit

An example of the phishing email that circulated on Tuesday.

Users might easily have been fooled, because the dummy app was actually named “Google Docs.” It also asked for access to Gmail through Google’s actual login service.

The hackers were able to pull off the attack by abusing the OAuth protocol, a way for internet accounts at Google, Twitter, Facebook and other services to connect with third-party apps.  

The OAuth protocol doesn’t transfer any password information, but instead uses special access tokens that can open account access.

However, OAuth can be dangerous in the wrong hands. The hackers behind Tuesday’s attack appear to have built an actual third-party app that leveraged Google processes to gain account access.

screen shot 2017 05 03 at 2.40.58 pm Reddit

The dummy app will try to ask for account permission. 

“The attack is quite clever and it exploits the ability for you to link your Google Account to a third-party application,” said Mark Nunnikhoven, vice president of cloud research at security firm Trend Micro.

Exploiting OAuth for account access is particularly devious because it can bypass the need to steal someone's login credentials or even Google's 2-step verification.

Last month, Trend Micro said a Russian hacking group known as Fancy Bear was using a similar email attack method that abused the OAuth protocol to phish victims.

However, security experts said Tuesday's phishing attack probably wasn't from Fancy Bear, a shadowy group that many experts suspect works for the Russian government.

"I don't believe they are behind this ... because this is way too widespread," Jaime Blasco, chief scientist at security provider AlienVault, said in an email. 

On Tuesday, many users on Twitter, including journalists, posted screen shots of the phishing emails, prompting speculation that the hackers were harvesting victims' contact lists to target more users.

The attack was also sent through an email address at "hhhhhhhhhhhhhhhh@mailinator.com." Mailinator, a provider of a free email service, denied any involvement. 

Fortunately, Google moved quickly to stop the phishing attacks, after a user on Reddit posted about them.

“We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again,” Google said in a statement.

Security experts and Google recommend affected users check what third-party apps have permission to access their account and revoke any suspicious access. Users can do so by visiting this address, or performing a Google security check-up.

It's also good practice to be careful around suspicious-looking emails. Many hacking attempts, including malware infections, come through links or attachments sent over email.

Security firms are warning that other hackers may conduct similar phishing attacks abusing OAuth, not just through Google, but with Facebook and LinkedIn. 

"Like all other creative, novel approaches, it will likely be heavily copied almost immediately," Cisco's Talos security group said in a blog post. Talos has identified more than 275,000 applications that use OAuth and connect to the cloud. 

But even though Tuesday's attack may have been novel, the dangers with OAuth are hardly new. Security experts have warned in the past that users may be phished through manipulation of OAuth to grant permissions to the wrong party.

In response to such attacks, Google said last month that it reviews any OAuth abuse and takes down thousands of apps that violate its user data policy, including those that impersonate company products.

Tuesday's phishing scheme will probably push Google to adopt an even stricter stance on apps that use OAuth, said Robert Graham, CEO of research company Errata Security.

However, the internet giant has to strike a balance between ensuring security and fostering a flourishing app ecosystem. 

"The more vetting you do, the more you stop innovation," Graham said. "It's a trade-off."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Michael Kan

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?