1 million Gmail users fell victim to a phishing scam, but here's how Google will stop that happening again
1 million Gmail users fell victim to a phishing scam, and here’s how Google wants to stop that happening again
Early last week, roughly a million Gmail users fell victim to a massive Google Docs phishing attack. The scam exposed users to a malicious app that gave attackers access to users’ email and contacts, and even though Google says it managed to stop the attack in an hour, the company is attempting to further reassure users with additional details on its defenses.
The phishing attacked tricked people into clicking on a supposed link to a Google Doc, but the link opened a malicious app that compromised user accounts. The app requested permission to “read, send, delete, and manage your email” and “manage your contacts”, which should have been a red flag as Google Docs does not ask for these permissions.
But because we’ve become so used to granting permissions to various services, many people actually gave the green light without a second thought.
Google has come under fire for allowing the attack to happen, a criticism compounded by the fact that it was warned that this could happen as early as 2011.
According to Google, it employs the following defenses against phishing attacks:
- Using machine learning-based detection of spam and phishing messages, which has contributed to 99.9% accuracy in spam detection
- Providing Safe Browsing warnings about dangerous links, within Gmail and across more than 2 billion browsers
- Preventing suspicious account sign-ins through dynamic, risk-based challenges
- Scanning email attachments for malware and other dangerous payloads
However, these methods weren’t enough to hold off the attacks, which took advantage of the way Google implements its application permissions interface based on the OAuth 2 standard.
The company acknowledged as much, and it had the following to say:
“In addition, we’re taking multiple steps to combat this type of attack in the future, including updating our policies and enforcement on OAuth applications, updating our anti-spam systems to help prevent campaigns like this one, and augmenting monitoring of suspicious third-party apps that request information from our users.”
Still, while a million victims is a lot of people, Google points out that the figure amounts to just 0.1 per cent of its users. That said, it is an indicator of how large the Gmail user base is, and more efforts will be required to prevent another attack that could affect still more people.
Source: Google Security Blog