Originally published on the Tripwire Security Awareness blog.
Even if you weren’t aware of it, you likely contributed to the security awareness of the global Internet community during the first week of May.
By now you’ve undoubtedly heard of the phishing scam using a phony Google Docs third-party extension. Across all sectors of social media, word spread like wildfire.I know I couldn’t scroll through my Facebook feed on May 3 without seeing post after post, story after story, warning others of this scam.
I use Facebook as my primary social medium, but the story spread just as quickly on Twitter, LinkedIn, Reddit, and most other social sites. In fact, some reports indicate one of the first accounts of the attack timeline was posted on Reddit.
How it Worked
It went like this: Millions of Google users received a wholly legitimate looking email with the subject line “[Sender] has shared a document on Google Docs with you.” The email, in addition to looking like a Google-generated message, appeared to come from someone the receiver knows.
This screen grab GizModo posted shows an example of what the from and subject line fields of the phishing email looked like:
Clicking on the “Open in Docs” button took the user to an authentic login screen asking the user to give “Google Docs” permission to access his or her Google account. Here’s where the evil genius of this social engineering attack comes in. This Google Docs app was not the real Google Docs. It was a cleverly design third-party app that a nefarious developer snuck past Google’s defenses masquerading as the legitimate version.
Once the user filled in his or her credentials, the app (and by extension the developer) had full access to the user’s inboxes and contact list. This triggered a mass send to everyone of the user’s contacts, starting the cycle over again.
The phony emails were reportedly sent out to millions, though no reports have surfaced of this attack leading to breaches of personal or sensitive information (other than the contact lists of those affected). Fortunately, Google’s security team shut down the fake app in about an hour.
— Google Docs (@googledocs) May 3, 2017
The Silver Lining
The Google Docs phishing attack of 2017 gripped much of the online world for a good two days or so, but really could not have ended better.
For one, Google’s security team snapped into action almost as soon as the attack was reported. As CSO Online staff writer Steve Ragan tells the tale:
“On Reddit, around the time the attack hit its peak, a user posted a full outline, warning others about the situation. Within moments, a staffer at Google took notice and passed the details over to engineering, who said they expected a fix within an hour.”
For two, the experience was a textbook example of threat sharing writ large. Dozens of my Facebook friends took it upon themselves to share screenshots of the suspicious emails and login screen warning others to beware. It didn’t take long for InfoSec news sites to catch wind of the scam, with articles and blog posts hitting the web explaining the timeline of the attack and what users could do to thwart it.
Toward a Security-Aware Culture
The discussions happening across my social media feeds immediately made me think of the noteworthy phishing emails my coworkers have received in the last few months. They’ve come in a wide variety, from R-rated advertisements for various sorts of female “services” to f-bomb laden threats of legal action.
The commonality, though, is how quickly word of all these attacks spread around the office. From a security awareness perspective, these are exactly the conversations employees should be having about cyberthreats. These conversations prove that a truly security-aware culture has been achieved.
We’re not the only ones thinking this way. Security awareness guru Lance Hayden, writing in CSO Online, shared a story about the heightened level of security awareness the Google Docs phishing scam revealed at his company. He runs the company’s security awareness efforts, which include simulated phishing attacks, and was thrilled to report how quickly his employees spread word of the scam.
“Watching my own team go from limited awareness to spontaneous security conversations without my intervention was awesome, and showed that our awareness efforts are working,” Hayden wrote.
Security Awareness Goes Mainstream
Now of course, an increased level of threat awareness on the part of the original clickers (patients zero through 20, say) could have likely stopped the Google Docs attempt in its tracks. But that’s no reason to downplay the positive impacts the attack did have. Those folks have likely been added to the ever-growing number of people who are phish-proof.
This sort of attack is unlikely to be the last of its kind. For that reason alone, it should be remembered as a cautionary tale.
But it should not stop there. In a perfect world for those tasked with improving security awareness, May 3 would become a global Security Awareness Day. A commemoration of the day the global Internet community become more security aware. A commemoration of the day security awareness became mainstream. Will you and your organization celebrate?
Contact us to learn how you can bring a first-class security awareness program to your organization.