Another week, another phishing scam. This time, users of Google’s “Gmail” service were at risk. Millions of people fell for a phishing email that seemed to come from a friend or colleague who was keen to collaborate on a document; if they clicked on the link and approved an application called “Google Docs”, they compromised their full email address book and most of the emails they’ve ever sent.
The breach, however, should not deter companies from using Google Apps for Business – the professional version of Gmail – to host corporate email, security experts say.
Google Docs is a real online service, offering users a word processor and spreadsheets that runs in a browser; documents can easily be shared online. The hackers, however, created a fake app called “Google Docs”, which then spread itself to the inboxes of both Gmail account holders and the users of the business version of Gmail. Whoever fell for the trick then saw a link to the scam forwarded to everyone in their address book.
“Generally, Google’s security is pretty good, and probably better than some of the alternatives out there,” says independent security expert Graham Cluley. “In this instance, Google responded quickly after the attack started, and managed to put an end to it – protecting the vast majority of its customers.”
“Obviously, what happened is embarrassing and ideally wouldn’t have occurred,” he adds – but “shifting providers might just expose you to other risks.”
Choosing the right provider for email and online productivity services is an important consideration for any company. For small firms, “using services provided by an industry giant such as Google can give more security at a lower cost compared to running everything in-house,” says Jarno Niemelä, a cyber-security expert at F-Secure Labs. “Tomorrow, the attack vector will be something different and changing service providers every time there’s an attack is not a viable solution.”
Companies have to be extra vigilant, he adds, and have to strive to achieve good security through understanding what really is important for the business and protecting these assets with a combination of technology, processes and security awareness.
One specific thing to be aware of, says Niemelä, is that “credentials have more power than ever before, and a lot of people authenticate to third party services using their Google credentials. Thus, a rogue Google app which has rights to do things for a user can be really powerful. The Google Docs part in this attack was just a social engineering lure, the rogue app had nothing to do with Google Docs except the pretext. It could have been anything else that a user would have trusted to answer “OK” when it asks permission to do things.
The target didn’t need to be a Google Docs user to be affected – the attack was against Google’s whole “walled garden” ecosystem, says Paul Ducklin, senior technologist at Sophos, “where everything is supposed to be security-vetted up front”.
Google should have taken better care over who gets to register as a developer, and what sort of apps and plugins are acceptable, Ducklin adds. “It’s astonishing that Google allowed anyone to register a third-party app called ‘Google Docs’ at all – let alone to let a crook register a rogue app going by that name – because this effectively gave Google’s brand and imprimatur to an imposter.”
Google stopped the attack “within approximately one hour,” the search giant said in a statement. But some still fell victims of the scam; despite Google’s high levels of security, “there will always be hackers who can out-smart the big guys,” says Ross Brewer of LogRhythm.
To prepare themselves, firms have to provide greater employee education, he adds. “Employees must be made more aware of the dangers of phishing attacks, so that they have a better chance of identifying an illegitimate email as soon as it hits their inbox. These types of emails are undoubtedly difficult to catch, but employees need to be encouraged to take just one minute to double-check the sender and validity of an email they have been sent.”
It’s vital to always assess any links that may seem suspicious, Brewer says. “Hackers know that employees can be the weakest line of defence, and will do everything they can to exploit this,” he says, so removing or mitigating this weakness could make all the difference between an unsuccessful and successful attack.
“Good thing that Google shut [the scam] down so quickly,” says Cluley. “It could have been a lot worse.”
To secure Google accounts, F-Secure gives a few pointers:
- Be conscious where you enter your account password (do you trust the end-point device and is the site a legitimate Google service)
- Use a strong passphrase
- Enable two-factor authentication
- Use Google’s built-in Security Checkup and Privacy Checkup tools
- Periodically review forwarding and mail filter settings, Connected apps & sites, Devices and Activities, shared files
- Disable POP and IMAP access if you don’t need them for a desktop or mobile client
- Check what applications have been authorised to access users data in Google ecosystem: https://myaccount.google.com/permissions