Google Docs/Gmail Phishing Debacle

Note: Information for G-Suite domain Administrators located at the bottom of this write up.

Yesterdays email debacle was widespread and hit a large number of Gmail users worldwide. Many of the media outlets have touted the “dangerous attack” as “hacking” your email account and warned users not to open any Google Docs. However, this email in particular did not actually do any harm (beyond the annoyance of spamming millions of email accounts). After seeing the source code and the events that followed the incident, it is believed by many (myself included) that this was a proof of concept attack by a researcher to open Google’s eyes to a possible vulnerability. It worked, as Google moved swiftly to disable the app and put in safeguards to HELP combat similar and possibly more malicious attacks in the future. DO NOT be afraid to open Google Docs that are shared with you. DO read on for more information about how you can safeguard yourself from similar attacks in the future.

The Scam

  • What happened after you clicked open on the offending email is the problem, and it something that we have complete control over.
  • The email linked to an authorization page (see screenshot below) that asked you to give an app called Google Docs (Not the actual Google Docs, Docs should never ask you for Gmail and Contact permissions), full access privileges to your gmail account and your contacts.
  • If you clicked allow (rather than closing the page, or hitting deny), it installed an app with the ability to read your contacts and read/send email as you.
  • The app script then sent that same message to every one of your contacts and an inbox on mailinator.com (the hhhhhh@mailinator.com address). Mailinator.com is a public inbox service that had no ties to the email and worked quickly to disable the inbox.

Screen Shot 2017-05-03 at 2.16.10 PM (1).png

What can you do to protect yourself?

  • Never open ANY email Attachments from an unknown source, and be careful when opening attachments from a known source.
  • ALWAYS read and understand what permissions you are giving apps (Online, on your cellphone, on your computer, etc..). If the permissions seem overly invasive, ask questions.
  • If you get a message that says a Google Doc is being shared with you, and it seems out of place, go to drive.google.com and click on the “Shared With Me” tab. Any real shared Google Docs will be located there.
  • Go to https://myaccount.google.com/security and audit your account settings every once in a while. If you click on the “Connected apps & sites” tab, you can verify which apps have which permissions and disable any unused, over-reaching, or out of place apps.
  • Here is more information for keeping your account secure from Google- https://support.google.com/accounts/answer/46526?hl=en

Notes for G-Suite Domain Administrators:

  • It’s wouldn’t be a bad idea use GAM to delete and OAuth Tokens left behind by this incident.
  • If you want to see anyone on your domain has these OAuth tokens, you can use the following command:

gam all users show token clientid xxxxxInsertTokenIDHerexxxxx

  • If you want to see who has these tokens, and delete them, run this command in GAM

gam print users | gam csv – gam user ~primaryEmail delete token clientid xxxxxInsertTokenIDHerexxxxx

Known Token IDs to be removed.

187102321219-1cb4b2gdr0bqv5u5n35vi1hecjcp1sjg.apps.googleusercontent.com

946634442539-bpj9bmemdvoedu8d3or6c69am3mi71dh.apps.googleusercontent.com

632715883535-h36sb9m6fot4vusucprsab95naef791n.apps.googleusercontent.com

366668462857-3qkidqn8oseh9v3fhm3085kpb747bgm7.apps.googleusercontent.com

188775109388-t33r6vb45j8fgf8vpcp4q0e6qt2pe01n.apps.googleusercontent.com

1024674817942-fstip2shineo1lsego38uvsg8n2d3421.apps.googleusercontent.com

Resources:

 

May the 4th be with you (Happy Star Wars Day!),

J

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s