As you are probably aware, there was a new interesting phishing attack that started Wednesday.
“The vulnerability was exposed for only about one hour, and a spokesperson told NBC News on Wednesday night that it affected “fewer than 0.1 percent of Gmail users” — which would still be about 1 million.”
In a nutshell the attack worked like this:
You receive a link from one of your contacts sharing out a Google doc.
Once you clicked the link it takes you to the real Google Security page, where you were asked to give permission to a fake application (this one posing as GDocs) to manage your email. It also replicated itself by sending the same link out to all contacts in your list. This caused the attack to spread rapidly.
So what can you do about this?
I’d like to introduce an unnamed friend of mine, T.C.
T.C. is a hard working system administrator who has been doing this for about 20 years. T.C. cares greatly about his company and security. T.C. is a good system admin. T.C. has an advantage over other System Administrators. He knows an awesome Infosec professional who always talks about attacks and sophistication. Let’s just say that when it comes to security issues, T.C. is better educated than most system administrators.
T.C. fell for this attack and notified me. I asked T.C. to let me use this information to help better inform the community about these types of attacks. T.C. was more than happy to help.
(Remember don’t be embarrassed about falling victim. The more we talk about how these things happen the better we will be.)
I received an email in my inbox at 11:47 am PST yesterday with the following subject:
T.C. has shared a Google doc with you.
T.C. and I have been friends for a long time but I wasn’t expecting a Google doc from him. In fact, we have never shared anything on Google docs prior to this. While I would have questioned this email, luckily I was out at lunch and didn’t really pay attention to it.
I received the next email at 12:03 pm from TC with the following subject:
And the following message:
“Folks, do not open the Google docs email I supposedly just sent. Even IT guys get caught sometimes.”
Ten minutes. From click to the next email stating that he got caught by the scammers.
T.C, is a smart guy he has been doing this a long time. He pays attention. So how did he get caught?
“I had not heard of anything going around,” he said. “Although my normal channels of web surfing did show that something was going around but it had not been highly publicized yet. I received the email and thought it was weird that I received something from my cousin who has never sent me anything. He dad is on hospice (my uncle) and I had thoughts of something along those lines. It looked pretty legit. But I did my due diligence and looked at the hyperlink.”
In this particular attack, the hyperlink was a legit Google hyperlink so he thought he was good to go. So far with the Google auth page this all seemed fairly normal.
So. T.C. had legitimate reasons to believe his cousin had sent the mail. He had legitimate reasons to believe the email wasn’t an attack based on the hyperlink. As of yet, he had not heard anything about this type of attack on news feeds.
At this point, T.C. says: “It seemed good. It was going to Google and seemed legit so I clicked. It took me to a Google auth page. I thought that is pretty normal. If I am going to be getting a shared doc, I would need to authenticate. Especially when we put in account expiration times meaning most users would have to re-authenticate at least once a day to the service. I then put in my password and I got to some weird page.”
“I started to dig in and I get an email from somebody else that says: ‘Fid I mean to send them spam?’ I knew I probably fell for it.”
“Immediately the realization hit me and I then looked at my sent items and it BCC’ed all my google contacts. I knew at this point I had fallen for it. I then immediately sent a follow up email that said to disregard the first.”
Then the cleanup began.
“I then did more research and found out about removing Google docs form my list of approved apps because Google docs just being there was wrong.”
“I started rotating all of my passwords”
From click to realization was less than five minutes. From the spread to the follow-up email was about 10 minutes.
So what can we learn from this attack and from TC’s tale?
The sophistication of attacks is going to continue to increase. Attackers know that misspelled, non-legit emails are getting little results for them. As an industry, we have been educating users for a long time on being wary of email links. The attackers know this and will continue to do more and more sophisticated attacks to dupe users. You should use these types of attacks in your education program for users. Most of the education we tell users is to hover over the link or to verify it’s a legit source. In this case it was, so we should increase and update our education for them.
Email will continue to be a top vector when it comes to breaching systems. If a 20 year IT pro can fall victim what shot does someone in accounting have? As an industry, we have relied far too heavily on email for far too long. We need to begin to seriously look at other communication modalities to help protect against these types of attacks. Email has plenty of flaws and some organizations have gone to other modalities for internal communications with staff. We need to move away from email. It’s time. There are better more secure solutions out there for communications.
We seem to forget the verify portion of “trust but verify” all the time. Had T.C. called or texted his cousin to see if he sent this, it could have been avoided. If you receive something unexpected, verify with the sender that they sent it. Yes, this takes diligence and time but it will keep your data from being at risk.
Lots of users use gmail or their Google account as their PRIMARY account. This is used for other services to provide login information. If an attacker gains access to your Google, account you can bet they have access to lots of other systems you use. Consider where your password resets go? Do they go to your Gmail account? If so, and you fell for this attack, you should rotate all passwords immediately. If an attacker has access to your Gmail, they have access to anything you use it for. Keep that in mind as you link accounts.
Many companies are relying on Google docs to collaborate. This is especially true for companies with remote employees. Ask yourself: “What’s in Google Drive and what could the bad guys have access too?: Sure it’s convenient cheap and easy but if this type of attack happens do you even know what your organization’s exposure is? This type of attack is more likely to work in organizations that share out data via google docs all the time.
For T.C. and a ton of infosec and information technology teams a lot of time was spent on the internal clean up. Some organizations found up to 35 different unique variants. Internal teams were pulling emails out of inboxes on the backend and in some cases using defense in depth to also block bad domains associated with the attack.
Consider the cleanup effort you or your team went through. Now, begin to drill those scenarios with your teams to get better and faster next time. Use this to test business continuity and disaster recovery in conjunction with a security incident. Do a table top. What if this was more malicious? What if your team was dealing with multiple attacks at once. Be prepared for these scenarios. They will continue to happen.
If you are like T.C. and his organization, you should lock down Google so that you cannot share contacts and content with anyone outside your organization. This is fairly easy to configure and would help protect against these types of attacks.
This attack wasn’t all bad though. Good lessons learned can come out of each one.
I wanted to note that the first public post from a “friend” on Facebook who doesn’t work in infosec was within a half an hour of T.C. sending me the warning email. We are getting better about notifying the public and the public is listening.
I also want to commend Google for moving as fast as possible on this type of attack. As of yesterday, Google said it had “disabled” the malicious accounts and pushed updates to all users.