On May 3rd, we started receiving calls and emails from SBTS employees that had received a Google Docs share from the same employee. We’ll call him Patient 0. Campus Tech even received the email from Patient 0. Soon after, we received a call from Patient 0 since he was getting bombarded with replies from people such as
“I tried to open this document, but it doesn’t seem to work”
“Did you mean to send this to me”
This was a phishing attempt. Patient 0 wasn’t the originator in this case – just another victim. It was a massive phishing attempt that affected around 1 million Gmail users worldwide. It was in fact very similar to the mock phishing attempt that we created in Campus Tech in March as a test exercise for Southern employees and students. You can find a link to that phishing exercise we created in the article we recently posted, How To Spot A Phishing Attempt.
What we Know
Here is what we know about yesterday’s phishing attack. It was disguised as a Google doc sharing email. Here is what the email looked like (with Patient 0’s identity obfuscated):
If you clicked on that link, you were prompted to log into a Google account, and then prompted to allow access to your Gmail contacts and your email. Once you allowed access, the hacker’s application had the ability to access your email, but primarily it used your contacts to send the same phishing attempt out to everyone in your contacts. This list can be huge since Google saves frequent email correspondents to your contact list.
According to a Reddit post reference in this article from TheNextWeb, Google has confirmed that they were able to revoke the hacker’s application in about 1 hour and users’ emails were not accessed.
While your password would not have been accessible during the attack, Campus Tech recommends updating your @sbts.edu or @students.sbts.edu password as a precaution. This is just a good thing to do if you haven’t updated that password in a while anyway.
What Can We Learn
- Does it make sense that you received this email?
- Does the link in the email actually go to Google?
- Does anything else look odd?
1. Does it make sense that you received this email?
In my case, I had not been doing any work with Patient 0, so I did not expect to receive a shared Google doc from him and should not have clicked on the link. If you happened to be in the same department as Patient 0, or were working with him on a project, then it is possible that this email would have made sense to you, and would have been more inclined to click on the link.
Result: FAIL (unless you were expecting a doc from Patient 0)
2. Does the link in the email actually go to Google?
This is where the attack yesterday diverges from our SBTS phishing exercise. In this case, the phishing attempt does actually go to Google. That is what is surprising about the attack yesterday. The anatomy of the attack was that the hacker actually published a Google App with a Google API key so that he or she could actually utilize the real Google login screen and use actual Google permissions in the Allow Access page. This would have required more work than the typical phishing attempt requires.
On the plus side for the hacker, they were able to use a real Google login page, which allowed them access to real Google permissions like your contacts and email. On the downside, since this required a registered Google API key, it was not difficult for Google to revoke their application once they were aware of the issue.
3. Does anything else look odd?
There are several aspects to the email that are warning signs that this is a phishing attempt. If you have not received a Google Doc sharing email before, these may not be immediately obvious, so we’ll point them out. Look at the phishing email again.
First, a Google Doc share would not include a recipient in the BCC field. In this phishing attempt, they propagated the attack through the BCC field in order to spread it faster. It also hides the fact that this email may have gone to 50 other people, which could have alerted people sooner to the fact that it was fake.
Second, notice the first recipient on the email, the series of “h” characters. While it is possible that someone could have that email address, or even that name in their contacts, I think most people would agree that it looks odd.
Third, this is not what a Google Doc sharing email looks like. Below is an example of a real Google Doc sharing email. You can see there are several differences.
Lastly, if you did click on the link in the email, you should always ask why the app is asking for the permissions that it is requesting. In this case, the application requested access to your Gmail contacts and your email. There is no reason for a Google document to need these permissions.
So if we use the test questions that we posed in our last post, we can see that this viral phishing attack would fail 2/3 of the tests, and we should definitely not click on the link in the email. If you did click on the link, there is no need to worry about this attack. You were one of about a million people that did, and no damage was done this time, but it is definitely something to learn from in the event of a future attempt.