On May 3, Gmail users started receiving phishing emails on their mailboxes with links to Google Docs. In the sender’s field, as well as in the body of the letter was indicated the user’s data from the victim’s contact list. The sender allegedly provided the recipient access to documents posted in Google Docs. When the link was opened in the email, the user was redirected to a legitimate Google account selection page, but immediately after the selection, the user had to provide the application that masqueraded as the official Google Docs application with access to letters, address book, etc.
After that, the mailing took place on the entire contact list of the victim. In this case, it is worth noting that the targeted user has always been in the copy of the letter, the recipient of which was the address firstname.lastname@example.org. The sender is the last user who opened the link and granted the application the requested rights.
This attack was called CloudPhishing. According to the latest Google reports, the attack was successful in one of thousands of cases, i.e. according to preliminary estimates, about one million users became victims of a successful phishing newsletter. At this point, the Google Docs fake application has been deactivated, and the permissions for it have been revoked. Also, Google released Gmail updates for Android. Now, in case of receiving a suspicious message, the user will be notified of the presence of a phishing link in it.
Users who have given access to a non-legitimate application to the data are advised to restrict access to applications by making access settings via the link: https://myaccount.google.com/permissions.
Although Google managed to conduct work on the attack mitigation, the attackers obtained an extensive database of Gmail mailboxes for further targeted mailings.
To protect against phishing mailing, for Gmail users, as well as corporate mail environments CheckPoint recommends the use of SandBlast technology, which is able to prevent zero-day attacks of this type.
Integrity Vision is the official CheckPoint partner for SandBlast specialization. We can provide equipment for testing your infrastructure.