Google Tightens OAuth Rules to Combat Phishing

Following last week’s phishing attack against Gmail users, Google is planning tightened OAuth rules to prevent similar incidents from occurring.

Phishing emails, which impersonate a trusted source to trick the recipient into opening a malicious attachment or clicking a suspicious link, have long been a favorite tool for attackers. Google’s email service blocks millions of phishing emails each day, but last week’s incident proved that the system isn’t invincible.

The phishing attack tricked users into granting access to their contact information to a third-party application cleverly named “Google Docs.” The incident resulted in the attacker gaining access to all of the affected users’ email content, as well as in the phishing attack immediately propagating to all of the victim’s contacts.

The phishing emails, which appeared to arrive from someone in the victim’s contact list, claimed to contain a link to Google Docs content that the sender wanted to share with the recipient. Once the user clicked on the link, they were taken to a legitimate Google sign-in page, where they were asked to authorize an app called “Google Docs,” thus allowing it to read, send, delete, and manage emails and contacts.

Google was able to spot and block the attack fast, but the incident meant that immediate actions that users might have taken, such as changing passwords, had no effect. Because OAuth was used, the attackers still had access to the account, and only removing permissions for the offending app could solve the issue.

“We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again,” Google said after the incident.

Now, the company reveals that it is updating its policies and enforcement on OAuth applications to prevent similar attacks from happening in the future. Moreover, updates to Google’s anti-spam systems should help prevent similar campaigns, and augmented monitoring of suspicious third-party apps that request information from users should add an extra layer of security.

“We’re committed to keeping your Google Account safe, and have layers of defense in place to guard against sophisticated attacks of all types, from anti-hijacking systems detecting unusual behavior, to machine learning models that block malicious content, to protection measures in Chrome and through Safe Browsing that guard against visiting suspicious sites,” Google says.

What should be noted is that the concept of launching such an attack isn’t new. It was first presented in 2011 by André DeMarre, and then thoroughly detailed by Greg Carson in February 2017.

In fact, the cyber espionage group known as Pawn Storm (aka Fancy Bear, APT28) was observed using the very same technique in the past. Trend Micro recently revealed that this actor’s phishing scheme employed an application dubbed Google Defender, while abusing “the same legitimate OAuth connection to exploit the user’s lack of knowledge of available services.”

In an emailed statement to SecurityWeek, Jaime Blasco, Chief Scientist at AlienVault, shared a similar point of view: “This is similar to what APT28 (the group behind the DNS hack, France election groups attacks, etc) was using a while back. I don’t believe they are behind this though because this is way too widespread. Many people/organizations have received similar attempts so this is probably something massive and less targeted.”

According to Google, less than 0.1% of Gmail users were impacted by last week’s “Google Docs” incident, but, as Talos’ Sean Baird and Nick Biasini point out, this proof-of-concept did reveal that a convincing Google phish via OAuth is possible.

To further protect users from such attacks, Google also announced anti-phishing security checks for Gmail for Android. Thus, users will be warned when clicking on suspicious links they receive via email, which should help prevent them from disclosing financial and personal information.

Related: Google Docs Phishing Scam Doused After Catching Fire

Related: Google to Revoke OAuth 2.0 Tokens Upon Password Reset

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags: