A fast moving, but widespread phishing attack targeting Google Gmail and Docs users hit yesterday affecting an unknown number of victims with the likely goal of stealing login credentials and millions of additional email addresses that could be used for a future phishing campaign.
The attack was quickly mitigated by Google and so far nothing malicious has been done with the stolen information.
A Cisco Talos investigation found that an as yet unknown number of people received what its researchers described as basic phishing email, but instead of simply trying to obtain the victim's Google username and password or drop malware the attacker took a shot at requesting specific permissions to "Read, send, delete, and manage" email and contacts, Talos researchers Sean Baird and Nick Biasini wrote.
“The "Open in Docs" link contained in the email directed the recipient to a legitimate Google site which required log-in with Google credentials. Upon entering the site, a service called "Google Docs" requested permission to "Read, send, delete, and manage" email and contacts. This is a legitimate request and is part of a lot of applications that make use of google as an authentication mechanism. The portion that is not normal are the permissions that are being requested,” they said.
Courtesy Cisco Talos
Talos believes the attacker could have had several goals in mind with the attack. The first being a proof-of-concept for a future Google phishing scam via OAuth or to gather all the information out of the victim's account for future use in other attacks.
The attack lasted less than two hours overall with the meat of it taking place in during a 15 minute period around 3pm on May 3. Travis Smith, senior security research engineer at Tripwire, noted that Google was able to have a fix in place within an hour of the initial report.
Interestingly, so far nothing malicious has apparently happened with the stolen information such as a malicious payload being dropped.
“At this time, there does not appear to be anything malicious in the sense of stealing sensitive data; however having your account compromised in this manner can still make you feel violated. If anyone clicked through and granted permissions, it is a simple process to remove the access," Smith told SC Media. "Navigate to https://myaccounts.google.com/permissions and remove the permissions for the 'Google Docs' application.”
Talos believes the success of this attack will lead either this group or others to copy the format thus forcing everyone to be even more vigilant when opening email.