Google phishing worm exploits OAuth to take over Gmail accounts

On May 3, 2017, approximately 1 million Google users were attacked by a malicious program called Google Docs, which attempted to trick users into granting it permission to access their Google accounts. This scheme was aimed at obtaining Google credentials and spreading the malicious program to other Google users. More specifically, those Google users that fell for the trick allowed the worm to send its copy to their Google contacts. Fortunately, Google immediately reacted to this phishing campaign and stopped it with within approximately an hour. According to the public statement from Google, no further actions have to be taken in relation to this even.

All started with a phishing email sent from hhhhhhhhhhhhhhh@mailinator.com featuring an "Open in Docs" button. When the user clicked on the button, a legitimate Google site asking to enter the username and password was opened. The user was also provided with a dialog box requesting permission to "Read, send, delete and manage" the email and also manage the user's contacts. By allowing the malicious program to access Gmail accounts, users helped the worm spread. To deceive unsuspecting Google users, the attackers abused the OAuth authentication interface, which is commonly used by other services to ease logging in without using a password. As the attackers used a legitimate log-in system, only users could raise the question whether the program asking permission to access their data was legitimate or not. For this reason, it is worth paying attention to what is being asked by the application.

Several malicious hosts shared to unsuspecting Google users were found in this attack. Attempts to access those domains resulted in an HTTP 502 response, which was believed to be the result of an overload from the affected users. The URLs provided to victims were made to look Google-like in order not to arouse their suspicion. Here are some of the hosts detected:

googledocs.g-cloud.pro

googledocs.g-docs.win

googledocs.docscloud.info

googledocs.gdocs.win

googledocs.docscloud.download

Fortunately, no malicious code was sent to victims' computers.

The tricky part about this OAuth worm spreading campaigns is that the receiver’s email address is seen in the "BBC:" line, whereas the sender's email address is present in the "To:" line. The sender's email address was an address created at mailinator.com. Mailinator is a free and public email platform enabling users to receive emails accessible to everyone. Users create their email names and add @mailinator.com so they can receive emails from senders to whom they do not want to reveal their real email address. The Mailinator service was believed to allow the attackers to see to what addresses the malicious Google Docs app was sent.

It was possible to check whether the application named Google Docs was developed by Google by clicking on the down arrow next to the application's name. According to the developer information, the fake application was created by a random person and the address eugene.pupov@gmail.com was given.

In response to the attack, Google removed the fake pages and applications and sent updates through Safe Browsing, Gmail and other systems. It is worth noting that the phishing campaign is not against Google but an attack against the OAuth system. Google also auto-revoked the permissions for user's accounts. Security experts suggest that users should check what applications have permissions to access their Google accounts. It can be done at myaccount.google.com/permissions. It is also worth changing passwords from time to time, but this should be done alongside revoking permissions. As the worm had full access to victims' emails and contacts, it could have copied them and saved in a third-party server. The victim's identity can be used for scamming contacts' emails and changing passwords of different accounts.

Malware researchers are surprised at how attackers were able to launch such a complex attack. The attackers are believed to have taken an advantage of a Google weakness that was present for a certain period of time. It is speculated that likely candidates for similar phishing attacks are Facebook and Linkedin as these services also uses alternative authentication mechanisms.

Security experts warn users to be very careful with granting applications permissions to access personal information, including passwords. When in doubt, a person should contact the sender and inquire about the attachment received.