OAuth Phishing On The Rise

Recently there was a significant volume of new phishing emails aimed at capturing access to Google accounts…specifically your email and contacts. You can read more about it at The Verge, Quartz, and Ars Technica. This phish is a great—evil !?!—example of a sophisticated attempt to gain access to a large number of users accounts.

In this attack, the victim is sent an email with a legitimate looking “Open in Docs” button. This button is a completely legitimate link to Google’s OAuth service. The attacker has set up a malicious application that is designed to harvest access tokens to user accounts and spread the phishing attack to all of the user’s contacts.

Technique Gaining Ground

This technique is extremely clever because there’s no malicious payload in the email. The URL can’t be blocked because it’s a legitimate domain owned and controlled by Google. Defending against this attack relies entirely on the user.

Unlike a typically phishing attack where the goal is to compromise the user’s system. The goal here is to compromise their Google Account.

We’ve seen this technique used before by the group known as Pawn Storm. During that campaign, the attackers set up a malicious “Google Defender” application that promised to protect victim’s accounts…while doing quite the opposite!

While unrelated, the Pawn Storm attack used the same legitimate OAuth connection to exploit the users lack of knowledge of available services. When the attackers target is your Google Account, these attacks are extremely difficult to prevent and detect.

Connecting Accounts Can Be Risky

This most recent campaign hid itself as “Google Docs.” Most users are unaware that the real Google Docs and Google Drive don’t need OAuth access to your Google Account. As an integrated service, they use an alternative authorization mechanism (typically document by document or folder by folder) to request access.

You can read more about sharing these documents on the Google support site.

If you did authorize access to this account, you can remove the connection from your Google account with a couple simple clicks. Simply visit https://profiles.google.com/connectedaccounts, find the listing for “Google Docs,” and click the “Remove” button.

[ Update: Thankfully Google was on top of the situation and has now blocked this application so no new connections can be made. Existing connections should also be removed now, but you’ll want to check to make sure.]

While you’re on the page, you should review all of the other connections to your Google account. You might be surprised to find a number of older applications or other connections that you weren’t aware of. Third party account connections are a common attack vector that you can easily prevent by regularly reviewing them (that goes for your Facebook, Twitter and LinkedIn accounts as well).

User Education Is Critical

Phishing remains one of the top ways that attackers start their hacks. We continue to see new and innovative ways to trick users into taking actions that compromise their systems.When the attacker’s goal is a public account (like Google, Facebook, Twitter, and LinkedIn), leveraging legitimate techniques like OAuth allows them to circumvent common defences. This leaves you relying purely on user education to remain protected.

If you haven’t already added a discussion around linking accounts to 3rd parties into your security awareness training, now is the time. This isn’t the first, nor will it be the last, attack to take advantage of legitimate OAuth flows to compromise user accounts.

Sharing our approach to user education and awareness helps improve everyone’s security posture. Do you have a really good example or material that really resonates with users? Why not share it on Twitter? Reach out to me (@marknca) and I’ll help get the message out.

Leave a Reply