Last week around a million Google Docs users were hit with a very clever phishing scam. While Google has taken down the offending app and closed the loophole that allowed it to happen, there are still risks with the platform. So what was the attack all about and what do you look for to avoid phishing scams?
The Google Docs phishing scam was enabled by OAuth, an online security protocol that allows third party tools to access applications. In this case, a Google Docs application used OAuth to request permission to access Gmail and Google. Once users agreed, no further permissions or interactions were necessary in order to allow the application to work.
Usually, OAuth makes it simple to enable third-party extensions or addons to interact with applications. In this case, a fake app was allowed to be created that fooled users into thinking it was a legitimate Google app. The app looked and felt legitimate and because it requested permission from inside Google Docs using OAuth, people naturally thought it was legitimate.
How did the Google Docs phishing scam happen?
A loophole in Google’s systems allowed someone to create a third-party app and call it Google Docs. Users who received a notification in Gmail to enabled the app automatically allowed full access to the extension as it looked to be from Google themselves, only it wasn’t.
This potentially opened up those users to identity theft or worse as the app granted full access to users’ email accounts and Google Docs.
Regular users of Google Docs will know that third-party apps and extensions offer lots of extra features to the various apps within the suite. I myself use a few Google Docs addons for the extra productivity and time-saving features they can offer. What usually happens is that you open a Doc, Sheet or whatever, look for an addon from within the app, allow it access to that Doc or Sheet and then begin using it.
When used for good, this process is fast and very straightforward. Some enterprising hacker obviously thought so too.
Google said they closed the loophole within an hour of being notified but up to a million accounts had already been compromised. If you recently allowed Google Docs access to your Gmail account or other Google accounts, now might be a good time to change your passwords.
According to Google:
‘While contact information was accessed and used by the campaign, our investigations show that no other data was exposed,’ Google said in a statement. ‘There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.’
How to avoid phishing scams
There is no way to avoid all phishing scams as some of them are very sophisticated indeed, as this Google Docs phishing scam has shown. However, by following a few simple rules, you can lower the risk of falling prey to such a scam by a significant amount.
Never click an email link
If you’re not sure who sent an email, never click within it. Links can be hidden in images, signatures or hide as a completely different link so it is best to avoid them altogether. If you are a hundred percent sure of who sent the email, the risk is lower but you should still be aware.
If the email looks genuine, say from your bank or credit card company, visit the website separately from your browser. Do not click a link in an email as these can lead to perfect copies of your bank’s website.
If you’re not expecting an email, don’t open it
If you receive an email from an address you don’t recognize, don’t open it. This is especially true if you receive one out of the blue. Always be suspicious of random emails even if they look legitimate. If you use Outlook, use preview mode to look at the email without activating anything within it.
If you’re unsure, delete it. If it was legit or important, the sender will send another or contact you a different way.
If it looks or feels wrong, delete it
Some phishing emails are blatantly wrong, contain very poor English or just look suspicious. Delete them.
Don’t depend on bad English or spelling mistakes to decide whether an email is a scam or not. Some of the more sophisticated emails have perfect English and replicate the company they are purporting to be very well. Some businesses cannot write very well and come across as foreign, so don’t rely on language use alone.
If it looks or feels phony, just delete the email. Better safe than sorry.
If online accounts allow two-factor authentication, use it. This can prevent the vast majority of hacking attempts. If you do fall prey to a phishing scam and accidentally give out your password, you have a second line of defense to protect yourself.
Also, periodically check our online accounts for any changes. Enable notifications of changes for a little extra protection. Many larger organizations will automatically email you if anything changes on your accounts but don’t depend on it. Check your email, regularly used store accounts and any account that could impact you financially. If they have an option to notify you of any changes, make sure to use it.
Protect your computer
Antivirus and malware scanners cannot protect you from phishing but they can protect your computer from the results of phishing. If you are tricked into landing on an infected web page that tries to download malicious code onto your computer your antivirus can stop it. If you click on a popup ad that includes malware, you need to be able to stop that too.
That’s where a good antivirus and malware scanner comes in. You should also run a software firewall on every connected computer to prevent malicious programs ‘phoning home’ with your personal data.
There are currently no programs or technological means to protect you from all forms of phishing. It is mainly down to you and your awareness of the threat. Hopefully now you know what to look for, you can avoid the majority of these scams.
If you do have issues with malware or viruses, the computer repair specialists here at Dave’s Computers are here to help. Contact us to learn more!