Following the news that one million Google Docs users have been hit by a phishing scam, IT security experts from Vectra Networks, MWR InfoSecurity, Wombat Security, Tripwire, Lastline and OwlDetect commented below.
Matt Walmsley, EMEA Director at Vectra Networks:
“Security is a strategic issue. Businesses that lack transparency and willingness to address security matters in an honest and open way will see a significant impact on the bottom line, and damage their market value and reputation. In this latest attack, Google has acted quickly to report and shut down the breach and release a statement to inform the public. In doing so, it has managed to preserve its reputation and shown itself to be transparent and in control of the situation.
“When the EU general data protection regulation (GDPR) comes into force in May 2018, reporting breaches, will be imperative. Companies that fail to put the appropriate security controls in place and notify authorities will face incremental fines of up to four per cent of the global annual revenue for non-compliance.”
Jason Kerner, Senior Developer for phishd at MWR InfoSecurity:
Accessing users’ contacts is something that has been seen with Google attacks previously and appears to be a favoured approach by attackers at present. Quite often these attacks will be the first phase of a more complex and targeted attack by utilising the information gained.
With web-based email clients offering more functionality to developers through ‘app’ integration, essentially a set of APIs allowing additional functionality, attackers are exploiting this functionality. It would almost seem that an app’s functionality should be vetted before being made available to the general user base, with its functionality and more importantly, its permissions being confirmed. More fine tuning of permissions in how they are presented to users and what this means to them, combined with education at the right level may reduce the spread of such an attack in the future. Facebook’s permission system, as well as the Android operating system, have both adjusted their approach regarding what apps are allowed to do, what not to do and what that means to users.
We expect these types of attacks to become more prevalent in the future as there is such a mass of information that can be gained and therefore exploited from conducting them.”
Joe Ferrara, CEO at Wombat Security:
The best way for organizations to protect themselves is to continually train end users on how to spot suspicious emails and keep them updated on new attack techniques. Humans will continue to make mistakes when it comes to phishing. But it is possible for organizations to increase awareness and educate end users to make better decisions, fewer mistakes and alert the appropriate department about questionable emails so info security teams can become more proactive.”
Tyler Reguly, Manager, Security Research & Development at Tripwire:
“Once you click on the link, the application will ask for permissions to your email account. If granted, it will begin to use your account to send out further spam emails. At this time, there does not appear to be anything malicious in the sense of stealing sensitive data, however having your account compromised in this manner can still make you feel violated. If anyone clicked through and granted permissions, it is a simple process to remove the access. Navigate to https://myaccounts.google.com/permissions and remove the permissions for the “Google Docs” application.
“One important thing to note. Within an hour of the initial report being posted to Reddit, Google had put a fix in place to mitigate the threat.”
Brian Laing, VP at Lastline:
Professor Richard Benham, Security Advisor at Online Service OwlDetect:
“It’s natural for you to feel some unease if you regularly use Google Docs or own a Gmail account. If you’ve accidentally opened this fake document either yesterday or today, there are simple actions you can take to ease this situation and regain control.
“Firstly, log into your Google account’s permissions page and remove all the access privileges from the Google Docs’ account that conducted the phishing scam. If you don’t recognise any active applications, it’s best precaution to remove it. You can always reactivate it later if you realise you needed the application. Secondly, you should reset your password and ensure you’re using Google’s official website and not logging into a fake site. Trustworthy sites can be identified by a green padlock in the address bar, and often it says “Secure”. Thirdly, change any passwords which might be affected and use a strong alphanumeric code that includes numbers, hashtags and punctuation.
“Lastly, if you’re still finding suspicious activity, consider using services like OwlDetect which can monitor the web and alert you if any of your personal information is leaked.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.