Teiss Head of Consulting, Jeremy Swinfen Green, considers why people still fall for phishing scams, how you can defend yourself from them, and what to do if you have been caught.
Phishing was back in the news yesterday with a huge scam using Google's name to fool people. Phishing involves sending out malicious emails; the word "phishing" is a contraction of "password fishing" and originally phishing scams attempted to get people to divulge their login details to bank accounts and the like. Nowadays, phishing emails often contain malicious software such as ransomware.
The current scam though is slightly different from both of these methods. The vehicle is a malicious app, which the hackers had built, that masquerades as a genuine Google app.
Victims are sent an email apparently containing a Google Docs document that is being shared with them and that supposedly needs to be opened in Google Docs. There is a link to Google Docs in the email that is in fact a link to an apparently genuine Google page where the victim is asked to give permission for the malicious app to "Read, send, delete and manage your email" - in other words to take full control of your Gmail account.
If permission is given, the victim's contacts are spammed with the same email, enabling the scam to propagate massively. However, Google acted quickly to contain the scam which they claim only affected 0.1% of accounts. That's still around 1 million accounts though. And it looks as though there were some fairly prominent victims possibly including Carnegie Mellon University (CMU). If that is true it would be ironic because CMU runs CyLab which claims to be "the largest university-based cybersecurity research and education institute in the United States".
The problem of trust
Why was this scam successful?
One reason is the sophisticated nature of the attack. Rather than asking people to input their passwords (a request that would sound warning bells to many people) the scam bypassed the need to do that by simply asking people to give permission for the app to manage their Gmail account.
But why would people let the app have this permission? It's down to trust. People tend to trust what they see. In this case they saw Google logos, which they trusted. They went to an apparently genuine Google page, which they trusted. And they interacted with an app called "Google Docs" - and they trusted the name. According to Ars Technica, a similar scam, this time using the name "Google Defender" (which people might confuse with Windows Defender") was doing the rounds very recently.
Trust, or rather inappropriate trust, is a huge issue online and one that cyber security professionals have difficulties in combating.
But in this case there were things that could have given the game away. At least to someone on the look out for scams.
- Firstly, why would an app from Google ask for permission to manage a Google Gmail account? One might have thought that Google already had that ability
- Secondly, while the email appeared to come from a friend, with the victim's name in the BCC copy field, there was a suspicious looking email address in the "To" field: email@example.com
- The link to the "Google Docs" document was in fact a link to a website with a Google "look-alike" address such as googledocs.gdocs.win rather than myaccount.google.com. (If you don't know how URLs are constructed then learning this basic fact will be an important part of your anti-fraud armoury. Techwalla has a useful tutorial on this.)
Targets of phishing
Phishing scams often target three industries - financial services, health and education.
Educational institutions are particularly vulnerable, according to Dave Hylander, senior risk analyst atVerizon because "Universities have been built on the idea of open sharing of data. Sharing with colleagues and peer group. Openness and sharing." In addition to the culture of openness, there is the nature of the people at universities, people "who may not have as firm a grasp of basic security control and best practices as that of someone in the workforce".
In other words, because universities have large numbers of curious, inexperienced, and relatively carefree users who can easily fall victim to these scams.
But in this case the initial targets of the Google Docs scam appear to have been journalists. This illustrates another problem. Phishing is changing from an attack that relies on spam sent to large numbers of people, at least some of whom are likely to be taken in, to highly engineered and highly credible attacks aimed at a small number of highly valuable targets. In this case the target was journalists, presumably because they have many, often influential, contacts.
What can you do?
If you think you may have fallen for this attack, the remedy is simple: revoke permission for the offending app:
- Sign in to Gmail and then go to the accounts settings at https://myaccount.google.com.
- Under "Sign in and security" go to the "Connected apps and sites" link
- Look for "Apps connected to your account" and click on "Manage apps" which will bring you to a list of all the apps connected to your account
- Find "Google Docs" in the list of connected apps, click on it and then click "Remove"
But really what you need to do is get better at avoiding these scams in the first place. And how are you going to do that?
The number one rule is to be sceptical. If something doesn't look right online, then check it out rather than trusting it blindly. A simple online search using some words from any suspicious message (in "quote marks") may reveal that your suspicions are correct. You should also look out for phrasing that seems odd. If there are any links in an email hover your mouse over them and take a look at the destination to see if it seems genuine. (Ideally you won't click on any links and instead you will type in URLs into your browser, or even better visit the home page of the sender and navigate from there.)
There are other things you should be doing as well.
- Make sure you use up to date security software
- Use strong passwords, ideally a different one for each account, certainly a different one for each of your bank accounts; have a minimum of 16 random characters (use as a phrase of four of five words like "IWantToGoToBognorRegis")
- Avoid logging on to any accounts if you are using public computers or public wi-fi
- Regularly check whether your accounts have been hacked using the HaveIBeenPwned website
Educate your colleagues
Anyone who works in an organisation should take some responsibility for cyber security and not leave it up to the over-stretched IT department. But if you have the opportunity you should also ensure that your colleagues are educated in how to keep cyber-safe. Teiss training runs courses on managing employee cyber security risks, and you may find these useful.
Photograph under licence from thinkstockphotos.co.uk, copyright weerapatkiatdumrong.