A phishing attack targeted Gmail users last week, sending them a fake link to a Google Doc that appeared to be from a known contact in order to get their login information. On Friday, Google's director of counter abuse technology Mark Risher published a blog post describing how the company defended against the phishing campaign, and the protections it has in place for users.
"If you use Gmail, you can rest assured that every day, millions of phishing emails are blocked from ever reaching your inbox," Risher wrote in the post. This particular attack tricked users into authorizing access to the fake Google Doc application through a mechanism called OAuth, and then attempted to gain more victims by sending the same message to everyone on the user's contact list.
Upon detecting last week's attack, Google "immediately responded with a combination of automatic and manual actions that ended this campaign within an hour," Risher wrote in the post.
"We removed fake pages and applications, and pushed user-protection updates through Safe Browsing, Gmail, Google Cloud Platform, and other counter-abuse systems," he continued.
Fewer than 0.1% of all Gmail users were affected by the attack, Risher noted, and Google has taken steps to ensure impacted accounts are secure.
SEE: Information security incident reporting policy (Tech Pro Research)
Google protects users from phishing scams in a number of ways, Risher wrote in the post, including:
- Using machine learning-based detection of spam and phishing messages, which has contributed to 99.9% accuracy in spam detection.
- Providing Safe Browsing warnings about dangerous links, within Gmail and across more than 2 billion browsers.
- Preventing suspicious account sign-ins through dynamic, risk-based challenges.
- Scanning email attachments for malware and other dangerous payloads.
Google is updating its anti-spam systems to further prevent phishing campaigns such as this one. It is also increasing its monitoring of suspicious third-party apps that request information from Gmail users, the post stated.
"We're committed to keeping your Google Account safe, and have layers of defense in place to guard against sophisticated attacks of all types, from anti-hijacking systems detecting unusual behavior, to machine learning models that block malicious content, to protection measures in Chrome and through Safe Browsing that guard against visiting suspicious sites," Risher wrote in the post.
Gmail users can also take certain steps to ensure that they are keeping their account safe, Risher wrote, including taking the Google Security Checkup, paying attention to warnings and alerts that appear in Gmail, and reporting suspicious emails and other content to Google.
G Suite administrators face added security challenges of managing a group of users' accounts. In the post, Risher said Google separately notified G Suite customers whose users fell prey to last week's phishing scam. While these administrators and business users do not need to take further action, Risher suggests considering the following best practices to improve business account security:
- Review and verify current OAuth API access by third-parties.
- Run OAuth Token audit log reports to catch future inadvertent scope grants and set up automated email alerts in the Admin console using the custom alerts feature, or script it with the Reports API.
- Turn on two-step verification for your organization and use security keys.
- Follow the security checklist if you feel that an account may be compromised.
- Help prevent abuse of your brand in phishing attacks by publishing a DMARC policy for your organization.
- Use and enforce rules for S/MIME encryption.
- How one man's phishing scam cost two major US tech companies $100M (TechRepublic)
- Google gives Android Gmail users new shady link warnings amid fake Docs attack (ZDNet)
- Free tool helps your IT team assess phishing risks (TechRepublic)
- Fake Google Docs phishing deluge hits Gmail (ZDNet)
- Infographic: How to identify and avoid phishing attacks (TechRepublic)
Alison DeNisco Rayome has nothing to disclose. She does not hold investments in the technology companies she covers.
Alison DeNisco Rayome is a Senior Editor for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.