14 DAY TRIAL // Following last week's widespread phishing attack on Gmail users, Google says it will work on tightening enforcement of the OAuth system it uses for linking Google accounts to third-party apps.
Last week, people were receiving emails containing a fake Google Docs link that appeared to come from someone they knew. Upon tapping the link, the user was taken to a page where they were asked to give permissions go Google Docs. This, however, wasn't the actual Google Docs coming from the Mountain View company, but a fake tool that sought to get account permissions.
Google dealt with the problem within an hour of getting the first reports, but by then plenty of people had tapped the link. Thankfully, removing permissions for the app was quite simple.
The bogus app used Google's very own OAuth implementation to request access to the Gmail accounts of those targeted. Once the permission was granted, it sent the same phishing email to the victim's contacts.
This is not a new technique used by the hackers. In fact, even Fancy Bear hackers who are responsible for the US and French election hacks, used the same technique.
More work to be done
Despite some of these incidents falling through the cracks, Google does have some mechanism to combat this type of phishing attack, such as machine-learning spam detection, the Safe Browsing system, as well as anti-virus scans on attachments. The company, however, will now also update its policies and enforcement on OAuth apps.
"We're taking multiple steps to combat this type of attack in the future, including updating our policies and enforcement on OAuth applications, updating our anti-spam systems to help prevent campaigns like this one, and augmenting monitoring of suspicious third-party apps that request information from our users," said Mark Risher, director of Google's Counter Abuse Technology.
According to Risher, fewer than 0.1% of users were affected by this attack.