An evil phishing worm masquerading as “Google Docs”
today. An e-mail from a friend or relative claims they shared a document with you. Clicking on the “Open in Docs” button asked you to log in to Google, then it popped up a familiar OAuth request asking for some permissions. If you click “Allow,” the permissions granted it full control over your e-mail and access to all your contacts. The worm then e-mailed everyone in your contacts list, and did god-only-knows what else to the victim’s e-mail.
The interesting thing about this worm was just how convincing it was. The e-mail was great—it used the exact same language as a Google Docs sharing e-mail and the exact same “Open” button. Clicking on the link brought up an authentic Google login page, served up from Google’s servers. Then you were presented a real Google OAuth permissions page, also from Google’s servers. The trick was that the app claiming to be “Google Docs” wasn’t really Google Docs. The screen showed a third-party app with the name “Google Docs” and a profile picture that matched the Google Docs logo.
The only way to tell the whole thing was a scam was to click the down arrow next to the “Google Docs” name. This showed you the developer info, which, rather than Google, was a random person with the e-mail “firstname.lastname@example.org.” Genuine Google apps use OAuth all the time, but if you open the developer info you’ll see something with an “@google.com” e-mail. Also, rather than redirecting you to a Google page, it tried to load a few different “Google sounding” URLs, in this case “googledoc.g-docs.pro.”
The downside to having a worm so closely tied to Google’s infrastructure is that Google has some control over it. The company shut down the OAuth request, redirecting users to an error page. Google also auto-revoked the permissions from everyone’s account. For a time the worm had total access to the victim’s e-mail, so in addition to spamming all your contacts, it could have copied all your e-mails (and all your Hangouts chats) to a third-party server. In the future this could be used for more phishing attempts, since the nefarious party knows your e-mail and product combinations. It could also be used for a public dump of VIP e-mails, like what happened to the DNC.
Google issued a statement on the phishing attempt, saying:
We have taken action to protect users against an email impersonating Google Docs & have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.
In the future I think we’ll need to see a redesign of how Google’s OAuth pages work. The problem is that the true entity you’re granting permissions to in Google’s OAuth interface is buried under a drop down window. Right now, the interface really relies on the app developer not lying about their name and app logo, and that’s just not good enough.
Source: SANS ISC SecNewsFeed @ May 3, 2017 at 06:42PM