Attackers Unleash OAuth Worm via 'Google Docs' App1 Million Google Users May Have Fallen for Fake App Spread via Phishing Emails
Score another one for social engineering.
A malicious app named "Google Docs" by attackers has been making the rounds, attempting to trick Google users into logging in and giving the app access permissions to their account.
The phishing campaign began with an email to victims from an address they likely would have recognized, according to multiple analyses of the attack that have now been posted online by security researchers. But the campaign quickly turned into a worm, as users authorized the bogus app in droves, allowing it to spread to their own contacts.
Although Google neutered the attack shortly after it appeared, the technology giant - believed to boast about 1 billion users - said that about 0.1 percent of its users were affected. In other words, roughly 1 million individuals may have fallen victim to this phishing campaign.
"This attack was notable due to the sheer volume and velocity at which it was executed," security researchers Sean Baird and Nick Biasini from Cisco Talos say in a blog post. "What started as a trickle of emails quickly became a deluge resulting in a prime area of focus on Twitter and in the security community. Due to its relentless nature it got everyone's attention."
How It Works
Here's how the attacks begin: A user receives an email containing an "Open in Docs" button, which, when clicked, redirects the user to a legitimate Google site, requesting that they allow an app called "Google Docs" to "read, send, and manage your email" as well as to "manage your contacts." If users click "allow," the malicious app - and by extension an attacker - gains access to all of those features.
The tricky part of the attack is that the app - like so many other sites and services online - uses Google's legitimate, OAuth-based log-in system, meaning that it's up to users to spot that someone is trying to scam them. "This is a legitimate request and is part of a lot of applications that make use of Google as an authentication mechanism," Baird and Biasini say. "The portion that is not normal are the permissions that are being requested."
As is typical with any security control that relies on humans to effectively differentiate legitimate requests from scams, users predictably failed in droves.
Fortunately, Google neutered the attack not long after it began. "We have taken action to protect users against an email impersonating Google Docs and have disabled offending accounts," the Google Docs team says in a statement released via Twitter, just hours after the attack was first spotted on May 3. "We've removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail."
To be clear, Google wasn't targeted with a phishing attack. "It's not a Google 'phish.' It's an OAuth worm," says Sean Sullivan, a security adviser at Finnish security firm F-Secure, via Twitter.
The attack centered on OAuth tokens provided by Google - other services also offer the feature - which allow a user to give a site or service persistent access to their Google account. One advantage is that users can then access the site or service without having to log in again. But that persistent access is regularly targeted by attackers, who create bogus apps and then send phishing emails to users, trying to get them to grant access. Such attacks also bypass two-factor authentication, because it's the already authenticated user who's granting access to the bogus app (see Hello! Can You Please Enable Macros?).
Thankfully, security researchers report, none of the "Google Docs" app attacks appear to have pushed malicious code onto victims' PCs.
With any service that allows OAuth logins, security experts say users should regularly review which apps they've granted access. For Google users, visiting https://myaccount.google.com/permissions allows them to revoke permissions for any apps or sites that shouldn't connect to their Google account.
Anyone who thinks they've fallen victim to an attack that targeted their OAuth credentials should also change their password, security experts recommend. But they note that doing so alone - without revoking permissions - won't immediately block attackers' access to their account, since existing OAuth tokens don't get regularly invalidated.
Email Address Harvesting
While the May 3 "Google Docs" app attack campaign has not been traced to any individual or actor, and no one has claimed credit, this was likely just an opening move.
"The goal of this attack is likely two-fold. This instance acted as a potential proof-of-concept for a convincing Google phish via OAuth," Cisco's Baird and Biasini say. In addition, they note that attackers could have quickly harvested massive amounts of contact information from the Gmail accounts of anyone who gave access rights to the "Google Docs" app.
It's not yet clear if stolen information has been put to use, says John Wilson, field CTO at email security firm Agari.
"While we haven't seen reports of fraud yet, the cybercriminals who launched the attack have access to all of the victims' emails until the app is disabled," Wilson says in a blog post. "With that access, the criminals can use your identity to scam co-workers or relatives, reset your bank account password and steal money or harvest information to steal the victim's identity. There are an infinite number of ways a cybercriminal can monetize this kind of access."
When in Doubt: Don't Click
Cisco's Baird and Biasini says that based on the effectiveness of this attack, more are sure to follow, and it's unclear if Google will be able to successfully shut them all down before more damage gets done.
Their main message to anyone who uses a service that relies on OAuth is to cultivate healthy amounts of skepticism and paranoia.
"Users must be very careful what they click on, particularly when it involves passwords or granting permissions or access of some kind," the Cisco researchers say. "If in doubt, reach out to the sender of the attachment or link using a means other than email to verify the integrity of their email."