A massive phishing campaign impersonating a request to share Google Docs documents hit inboxes worldwide earlier this week.
Victims who clinked on links in the emails were asked to share access to their Gmail contact lists and Google Drive, the New York Times reports — and those contact lists were then used to distribute the attack to victims’ contacts.
In a statement, Google said, “We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again.”
“We encourage users to report phishing emails in Gmail,” the company added. “If you think you clicked on a fraudulent email, visit g.co/SecurityCheckup and remove apps you don’t recognize.”
A spokesperson told NBC News that the attack affected “fewer than 0.1 percent of Gmail users” — but that would still be about a million people.
The Importance of Security Training
AlienVault chief scientist Jaime Blasco told eSecurity Planet by email that while this kind of attack, abusing OAuth to provide attackers with access to the victim’s emails, is similar to what the Russian hacker group APT28 has used in the past, this doesn’t seem likely to be their work.
“Many people/organizations have received similar attempts, so this is probably something massive and less targeted,” Blasco said.
Still, Fidelis Cybersecurity threat research manager John Bambenek said by email that the attack is a stark reminder that criminals and nation states are targeting the one thing technology can’t fix — the user. “If you can trick the user into compromising themselves, you have no need for a zero-day,” he said. “Security awareness and vigilance of end users are the key to the security of any system.”
Wombat Security president and CEO Joe Ferrara said the best way for organizations to protect themselves is to train users on how to spot suspicious emails, and keep them updated on new attack techniques.
“Humans will continue to make mistakes when it comes to phishing,” Ferrara said. “But it is possible for organizations to increase awareness and educate end users to make better decisions, fewer mistakes and alert the appropriate department about questionable emails so infosec teams can become more proactive.”
Opening Every Attachment
A recent Glasswall Solutions survey of 1,000 office workers found that 82 percent of respondents usually or always open email attachments if they appear to be coming from a known contact.
Of those respondents, 44 percent open email attachments consistently every time they receive one.
Fifty-five percent of respondents said they send or receive at least 11 documents via email every day, and 20 percent said their company either has no policy on how to handle email attachments, or they haven’t been made aware of it.
And while 76 percent of respondents said they have received emails with suspicious attachments, 58 percent admitted they usually open attachments from unknown senders.
“This research confirms anecdotal evidence that, although security awareness campaigns have their place, all too often they fail to equip workers with effective strategies for protecting data and systems,” University of Oxford professor Andrew Martin said in a statement.