Over a million Gmail users got hit by a phishing worm yesterday, sending the security world into a cacophony of screams and laughter. Screams, because the attack looked like it came from Google itself. Laughter, because the attack looked like it came from Google itself.
Image: Gizmodo / Google
While some chin-scratching observers called it "sophisticated", Wednesday's worm was dreadfully simple on the surface. The attack started with a convincing email that contained the same language as a Google Docs invitation along with the the same button Google uses to open the document. (Only frequent Google Docs users would have noticed that the overall design of the email was not quite right.) Clicking the link would take the user to a series of pages that looked just like the real Google sign-in process. Why? Because they actually were real Google sign-in pages.
Long story short, the hacker built an app called "Google Docs" and registered it with Google. For whatever reason, Google allowed the app to use its OAuth process and, in turn, trick lots and lots of people into handing over their accounts to a hacker. One thing Google did do right was shut down this phishing worm very quickly. According to members of the Google security team on Reddit, only 30 minutes passed from the time the attack was reported until the fake Google Docs app got nuked. Nevertheless, Google says that 0.1 per cent of all Gmail users were affected, and while that seems like a very small percentage, Google says there are over a billion Gmail users. (That's where the "over one million" figure comes from.)
It's so far unclear how the hacker managed to get a fake Google Docs into Google's OAuth ecosystem. Google says that it has ways of preventing this, although the company declined to comment on exactly how. Which makes sense, since Google wouldn't want to reveal all of its defences to hackers.
"Google detects and reviews potential OAuth abuse and takes down apps that violate our User Data Policy, such as impersonating a Google app," a Google spokesperson explained Gizmodo in an email. "Note that a real Google app should be directly accessed from a Google site or installed from the Google Play or Apple App stores."
For the poor souls who authorised the fake Google Docs app, there's some bad news. We know that the attacker accessed victims' contacts, because the worm spread by sending more emails to those contacts. Authorising the app also would have given the hacker access to the contents of the victims' inboxes. (Remember, the DNC hack was traced back to a phishing attack.) Theoretically, the attacker could use the inbox contents to go after individuals' bank accounts, even within that narrow window of access.
"If it was planned and they knew that certain email addresses were tied to certain banks, [the hackers] would have had plenty of time time to do that," Sven Dietrich, an IEEE senior member and associate professor at John Jay College of Criminal Justice, told Gizmodo in an interview. "The authorisation doesn't get you the usernames and passwords," Dietrich said, adding that hackers could have also executed a script that recorded keystrokes.
There is some good news. A purported copy of the source code makes it seem like the phishing worm was simply designed to propagate itself, although it's possible that more malicious code was involved in the attack. At this point, time will tell how much damage this hacker caused with his stupidly simple phishing worm.
If you were one of the poor saps who fell for this scam, you should change your passwords and double-check which third-party apps have been granted access by using Google's Security Checkup. Heck, everybody might as well do the checkup — just for fun! Victims should also think hard about what's in their inbox, since there's a chance that data might end up for sale on the dark web in six months.
Here's another tip, now that we're all paying attention to our internet hygiene. Instead of using your regular Gmail account to authorise apps through Google OAuth, set up a shell account to do that. This way, if you do fall for a phishing scam, hackers won't have access to all of your friends and emails and deepest darkest secrets. That shell account is also a good one to use for password recovery, too.
"Spread things over multiple accounts to contain any compromise to a smaller subset," Dietrich said. "It's a bit like George Costanza when he says, 'My worlds are colliding!' You don't want your worlds to collide. You want to compartmentalise."
As far as we know, the hacked credentials haven't been used to break into a million people's bank accounts yet. And since Google quickly shut down the fake Google Docs app, the hacker only had access to victims' accounts for a few minutes. Nevertheless, a few minutes is plenty of time to steal a lot of data, so the story could be far from over.