That is just what happened Wednesday, as a phishing scheme exploded that used Google’s own OAuth authentication system to grant access to a nefarious web app. Unlike other phishing schemes that use a fake internet address to lure the unexpecting, this attack merely popped up a Google authorization request with a misleading app title.
It’s important to note that Google responded quickly and removed the offending app, thus shutting down this particular phishing scheme. However, the phishing method itself does not seem to have been rectified. Here’s Google’s statement:
“We have taken action to protect users against an email impersonating Google Docs and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”
The issue was originally highlighted on Reddit, where Redditor JakeSteam provided a step-by-step recreation of the attack. The attack has also been seen in the wild by Digital Trends’ own staff, and so we can confirm that these steps are accurately described.
The process was relatively simple. A potential victim received an email offering to share a Google Doc.
Clicking on the “Open in Docs” button popped up a legitimate Google account selection screen, which when clicked returned an equally legitimate Google authentication request to allow the app to access the user’s Gmail and Google contacts information.
It’s only by clicking on the Google Docs’ developer link that the typical user’s suspicion level might be raised. The problem here is that many people might trust an offer to share a Google Docs file and then it would make perfect sense that Google Docs might be the system requesting access.
If you’ve already fallen prey to this phishing scheme, then you will want to disallow that app from accessing your data. You can do that by visiting the Connected Apps and Sites section of Google’s security page and clicking “Manage Apps.” Then click on the Google Docs app in the list, and hit the “Remove” button. Now might be a good time to review all of your connected apps and remove any that aren’t legitimate.
The primarily lesson here is the same as it has been for a long time now: If you aren’t expecting a shared file, then don not click anything when one is offered. If you are not sure who the file is from, then look into the sender and make sure it’s someone you trust.
Google will likely be looking into this issue and hopefully figuring out a way to resolve it. This particular phishing attack was shut down, but the ability to use Google’s legitimate authentication system for attacks is worrisome.
