How the massive phishing scam affected 1 million users
It’s been four days since the Google docs hack hit 0.1% of Google’s users, and the hack from hell is still striking fear into people. That percentage translates to about 1 million infected users, for those who are counting. Sure, the mega-company was able to stop the hack within approximately one hour, but that doesn’t negate the damage that’s already been done (or the fact that it even happened in the first place).
For those of you vacationing under a rock over the past weekend, here’s the scoop: Google was hacked. And they were hacked badly. The tech company fell prey to a nasty phishing scam on Thursday. Since then, they’ve become unanimous with “Google docs hack,” a relatively disastrous moniker to be associated with. So what happened? I’m going to tell you exactly what happened. But I promise, it won’t be pretty.
Google docs hack brief: Users get an email from a “trusted” source informing them they have been added to a Google doc. Once the recipient clicks the link to view it, they are asked to give away all of their permissions to an app posing as Google Docs (i.e. access to password resets, the ability to read, send, delete, and manage email/contacts, and pretty much all privileges associated with your account). In reality, this is a malicious service giving a hacker unlimited access to a user’s Gmail account.
Sound scary? It was. Google shut down the attack when it happened by revoking the app and killing the phishing pages. The effects were long-lasting, though. For some users, the Google docs hack stole massive amounts of sensitive data they will never be able to get back. Meanwhile, information security companies have already predicted immediate copycat hackers, meaning we can probably expect to see several more similar hacks crop up in the next few weeks.
Google Docs Hack: Recovery
So what’s the road to recovery look like for users who suffered a breach? Google did most of its part by shutting the hack down almost immediately, but the buck doesn’t stop there. There may not be any steps you can take anymore with this hack, but more will come in the future. Preparing yourself to protect, defend, and fight will be key to your survival. That’s right. The Google docs hack just declared war on everyone’s cybersecurity, and you need to shape up or ship out.
Google already disabled offending accounts, removed fake pages, pushed updates through Safe Browsing, and got their abuse team on proactive measures for the future. But like PhishMe’s chief technology officer, Aaron Higbee, notes,
“The importance of this phish is not how it spread, but rather how it didn’t use malware or fake websites tricking users to give up their passwords. This phish worked because it tricked the user into granting permissions to a third-party application. This is the future of phishing, and every security technology vendor is ill-equipped to deal with it.”
Higbee hits the nail on the head: if users aren’t equipped to identify threats like the Google docs hack, how will they defend themselves from future attacks? The real road to recovering from a breach of this size is knowledge.
Users keep falling for phishing attacks because they don’t know what to look out for, plain and simple. Whether you’re looking to protect yourself, your business, or personal assets, proper training is the only real solution to fighting off a hack like the Google docs hack. Educate yourself and your staff on the tell-tale signs of a phishing email, and habitually test yourself and your staff to see how vigilant you’ve really become. This might sound elementary, but you’d be surprised by how little you really know.
Here’s a quick guideline you can follow and begin to implement in business settings to stay ahead of the curve and avoid nasty phishing scams.
How to Avoid Phishing Scams:
✔ Resist the Urge to Click
✔ Be Alert to Any Suspicious Emails
✔ Question All Emails Regardless of Sender
✔ Look for Long or Odd Email Addresses
✔ Never Download Attachments from Unknown Sources
✔ Double Check With an Email Source If You Weren’t Expecting Anything From That Person
✔ Double Verify Via Phone
✔ Share Important Links Manually Via Secure Chat or SMS
✔ Never Sign Away Your Access to Personal Accounts, Even to a Legitimate Source
For zbrella Technology Consulting, I’m Christopher Clark, goodnight and good luck.
zbrella Technology Consulting can help protect business against phishing attacks and other malicious malware. We can implement company standards, regulations, and actionable plans as well as protect and block against all attacks. Call us at 718.355.9155.