Sophos Cloud Optix
A large scale phishing attack has been making the rounds this week pretending to be a “Secure Document” being sent to you via Google Docs.
While those of us in the security industry might not be surprised, phishing attacks are consistently proving themselves to one of the most effective ways to evade traditional defenses.
As many organizations move to the Google cloud, this type of phishing lure will continue to yield results for the criminals.
The email reads:
Hello,
A Secure Document was sent to you by your financial institute using Google Docs.
Follow the link below to visit Google Docs webpage to view your Document
Follow Here. The Document is said to be important.
Regards.
Happy Emailing,
The Gmail Team
Phishing emails aren’t exactly rare, but this one caught my eye. In addition to being a somewhat plausible lure, it is an equal opportunity exploit.
If you click the link you are presented with a phishing page hosted in Thailand.
The page not only asks for your Google credentials, it also suggests it will accept Yahoo!, Outlook.com, Hotmail, AOL, Comcast, Verizon, 163.com or any other email account.
Of course, filling out this form can only end in tears. Your details are sent off to the compromised servers for whatever purposes these thieves desire.
You might think, “So what? My Gmail isn’t full of secrets that will destroy my nation/life/career.”
You would likely be wrong, because your email is the key to unlocking much of your online identity.
Forget your banking password? No worries, they will email you a password reset link.
Does your company utilize cloud services? Your email account is likely key to accessing these systems.
Phishing is an amazingly successful technique.
Just ask the Syrian Electronic Army, who with little technical talent have been able to compromise some of the most powerful media organizations in the world.
As an IT administrator, these are opportunities to educate your staff on the risks.
This might not be the most convincing of the phishes that are out there, but it is a useful tool to educate your staff.
Many organizations are using Google and other cloud service providers to provide critical IT services. At first glance this could be very believable.
What do I do to avoid being a victim? I create shortcuts in my browser for all sensitive services.
If I need to access my email, bank or other online service, I don’t click the link; I click the favourite.
Thank you for the info. You say, "I click the favourite." What do you mean? Is this also a threat for individuals?
~ Carol Zupkas ~
I create favourites for all my important services. I never click a link to my bank, retirement account or email, I just click the favourite which is sure to deliver me to the correct website (assuming their DNS has not been compromised).
Hi Carol – I don't mean to put words in his mouth, but i'm pretty sure Chester means that he has saved his most visited pages as favorites or bookmarks in his browser so rather than clicking on the phishing links in an email, he clicks on the favorite link that he's previously saved – that way he knows he's going to the page he wants to go to
… until those nice people find how to hack our bookmarks / favourites.
See also DNS redefinition (e.g. http://nakedsecurity.sophos.com/2013/08/28/google… from yesterday).
Perhaps you should be memorising, or writing on paper, the IP address of your bank.
The thieves being able to read your email isn't the only problem; they would also be able to send email from your account. All they have to do is send a few "plans to blow up the embassy" emails to random people, and you'll end up in Guantanamo Bay.
They can (and do) also send more targeted phishes to people in your contact list, pretending to be you. Since they're doing this from within the web of trust, the phishes are much more likely to garner victims who wouldn't fall for the original phishing attack. This also has the benefit (for them) that often there is no phish/spam filtering between email addresses on the same internal network — so if they can use this technique to gain access to your internal email accounts, they have unfettered access to the trust network inside the firewall.
A Gmail ID is the gateway to all Google services, not just email: Docs, Play Store purchases for Android devices (potentially giving info about said devices), contacts, history on YouTube, Google+, and of course Google Wallet. If you put your home & work addresses in Maps (as My Places entries) then that info is revealed as well.
Anyone that wants to profile someone can learn a huge amount with nothing more than Gmail credentials.
Protect your accounts people! Most services offer 2-step verification. Here is information about Google's 2-step protection systems: http://www.google.com/landing/2step/
If I were to fall victim to a phishing attack, my email accounts are still secure because the attacker would need more than the password to gain access.
The general rules I follow are:
1. Never click on a link in a mass-emailed message.
2. Never click on a link without first inspecting the URL syntax.
3. Never click on a link in a message that uses moronic semantics…like the one in the article, which says "financial institute". Dead giveaway.
4. Never, ever click on a link that purports to connect me to a login page for any account, anywhere, for any purpose.
About the only links I ever click are those that come from private or professional correspondents who are referring me to links they personally have vetted. Most of them use encrypted mail, and I'm certain that the messages are genuine.
If you use GMail, you should be using 2FA which is free via the Google Authenticator. Even with a phishing attack, your one time code will always be different.
I think the proper risk mitigation is to enforce two factor authentication. There is a google app on the phone which is like a OTP (One Time Pad). Works very well.
Also, I do not use “bookmarks”. They are controlled by the browser program, which a hacker could be able to access. I write my own set of frequent (or rare) links and save them as a “webpage” on my machine, such as “myhome.html”.
A bank sharing something via Google Docs? You should be smart enough to not fall for that, right?
phishing I get 1 a week & I don’t bank on line I go to bank if need bank all the time say bank needs a update just go delete
okay, now that I fell for this trap what should I do? I've already emailed my conatcs of the situation and of course my email blew up today because my addess book got compromised. I can't believe my guard was down.
Immediately change your Google password is about all you can do. And be sure to enable 2-step verification with Google. You can use an SMS code or the Google Authenticator app on iOS and Android as a required second factor when logging into you Google account to discourage phishers from attempting to victimize you again.
My account was compromised. But not only that they changed the phone number in the security feature which prevents resetting the pass word by SMS verification.. Google then takes 3 to 5 days to verify I am legitimate and potentially the account will come back . In the meantime the con artist is reading my incoming email and responding to my clients and friends with my name…I know now I will never use a service like Google if there is not a support
that can rectify a breach in a timely manner.
OK, I got one of these emails from my insurance agent, and clicked on it and signed in, and THEN got a follow-up email from him that his account had been hacked (sorry, it looked like it was real). So I just went and changed ALL my email passwords…what else can I do?
Hi..this phishing scam is back…I just got took yesterday. So presuming they got my log in info to my gmail account..what can I do other then change my email passwords?
Yeah this just happened to me I have changed my password as well, but is there more that needs to be done?
I made a mistake to click the phishing e-mail “link” and found out that hacker registered an application “Kik” on his mobile phone. He will pretend just like me to other people and try to cheat them.
I hope not to make another mistake again and hope not to make any problem to me.
I just got an email like this from my wife’s gmail. Thankfully, it went to spam though I would not have opened it anyway. The question is though, hat should she do?