Gmail email owners are once again the target of hackers trying to take possession of their accounts. The method used is similar to that already employed by Russian hackers. It consists of abusing the OAuth protocol by granting email and contact management privileges to a fake Google Docs application.
If you receive an email asking you to open a document via Google Docs, beware because it could well hide a phishing attempt, and even more. Emails, which circulated for nearly three hours before being stopped by Google, contain an invitation to open a document in the following form: “XXX has invited you to view the following document” preceding an “Open in Docs”. Instead of a document, a window opens asking to accept the alleged Google Docs application to grant it very important rights, namely the ability to read, send, delete and manage the email account (thus including changing password) and manage contacts.
An example of a phishing email circulating yesterday. (credit: Reddit)
“This attack is quite clever and exploits the ability to link a Google account to a third-party application,” said Mark Nunnikhoven, vice president of cloud research at Trend Micro. Hackers have thus found a (unfortunately) very clever way to take possession of a Gmail account without trying to steal account identifiers, and to come up against the – effective – barrier of two-factor authentication, offered by Google. They have indeed succeeded in abusing the OAuth protocol, allowing a third-party application to connect to Google accounts (but also Twitter, Facebook, etc.) by encouraging the user to use a fake Google Docs app entirely written and controlled by the hackers.
Other similar campaigns to be planned
Last month, Trend Micro reported that a Russian hacker group, Fancy Bear, used a similar method of abusing the OAuth protocol via phishing campaigns. “The recent Google Docs phishing attack leveraged some techniques that were previously more associated with government-related cyberattacks,” said Charles Rami, Southern Europe sales manager at Proofpoint. “Cybercriminals continue to use carefully crafted messages to steal credentials from email accounts, as they are the gateway to other digital accounts, such as banking, social media and email lists. contacts. Our initial analysis shows that this attack targeted organizations of all types, including education, technology, financial services, and travel. Based on the success of this attack, we expect similar campaigns to be initiated to attract new potential victims. »
For now, we do not know the extent of the attack, nor the number of users who were trapped by this wave of phishing. “We removed fraudulent pages, pushed updates through Safe Browsing and our team is working to ensure that this type of spoofing does not happen again,” Google said. Security experts and the Mountain View company recommend that affected users check the permissions granted to third-party applications on their Gmail account and revoke those that seem suspicious. What can be done by going to this address but also to ensure here that the account security settings are correct.