Earlier this month, Google sent users into shock when it reported that a phishing scam had been targeting their users. The emails were sent out to millions of users, claiming to be from Google itself and doing a very good impression of the emails automatically generated by Google when someone shares a Google Doc with you. The links in the email, if clicked (don’t), took users to a genuine Google page asking for widespread permissions across your Google accounts. If victims allowed this request, it granted hackers access to a vast amount of personal data stored within the accounts. From examination, hackers can only gain access if you grant these permissions, but if you click on the link in the email it does sent it on to everyone in your contacts list, spreading the scam further. So what can we learn from this?
Well the first thing worth noting is that Google users were the intended targets here, and there may be a very good reason for that. Google has always been a firm advocate of connectivity and sharing of information across devices. Unfortunately this means that all of your data is being stored in a centralised cloud server and distributed to all of your devices from there, making it much easier to access than if it were spread out. This scam serves to highlight the danger of hyper connectivity in the modern world. In the past, a hacker would have to work quite hard to get hold of your data, as it would all be stored in different places. If they wanted information from your computer and your phone, they would have to crack both of those devices to get it. But thanks in part to Google technological advances, hackers only have to get their hands on your Google logins in order to access everything they need, from files to personal information, passwords and even bank details.
As quickly as advances happen, hackers are quick to catch up and even leapfrog them. This particular attack was a very sophisticated and well planned one – much more so than the usual phishing attempts we see. This, combined with some other examples, leads us to believe that scammers are responding to the general public’s increased knowledge of what to look out for, and are trying out new ways to fool people. For example, we have always advised people to check the spelling and grammar of any suspicious looking emails – as this is a big giveaway for phishing. But these new schemes have featured flawless English. Imitation of well known brands is common, but never to this level of sophistication. This is the reason that so many people were fooled by this scam – just shy of half a million users in fact – it was very well done indeed.
The final reason this attack was so successful is simple – the phishing email used a genuine link to a genuine Google page to entice people into clicking. An easy tell for a phishing email is hovering over any links with your mouse to give you a preview of the link location. This will either show you the real site and prove the email to be genuine, or a strange URL likely to contain malware. But this attack sent users to a genuine Google sign-in screen, creating confidence that users weren’t being scammed. But from filling in their details on this page they are asked to ‘continue to Google Docs’ and that’s where the cleverness happens. This sends you to a third-party web app that is simply named Google Docs, which gives phishes access to your email, address book and anything else kept within your Google account. It is working within Google’s system and taking advantage of the fact that you can create a non-Google web app with a misleading name.
Google has already reacted to this and shut down access to the million accounts affected in that short space of time. If you did click on this email, you can revoke future access by going through Google’s “connected apps and sites” page, where it will appear as ‘Google Docs.” For business owners who rely on Google Drive as their storage and backup, this scam is a rather startling jolt to their comfortable environment. While it may be difficult to admit, sometimes simply using a third party solution just isn’t secure enough, particularly when you are handling sensitive information of any nature. That's why we create tailored IT security and cloud back up systems that work with your needs to deliver flawless security 24/7. For more information, get in touch with me today.