[Updated: as Doug Levin notes, Google was warned about the potential of this problem in 2011]
On May 3rd, a small percentage (~.1%) of Google users were hit with a sophisticated phishing attack (it used at least 13 different application “clientIds”) . The phishing took the form of a link that directed users to an application claiming to be “Google Docs” and routed users to Google’s login/permission pages (Oauth2) to grant access to gmail and contact scopes.
For districts using gSuite for Euducation, it was impressive to see how quickly the EDU user community jumped on this issue. AmplifiedIT crowd-sourced the collection of clientIds and posted remediation steps. Google shut down the applications within an hour and Admins of impacted domains received an email similar to the one below late on the evening of 5/4/17.
Dear G Suite Administrator,
On Wednesday, May 3, we identified, investigated, and resolved an email phishing campaign . This issue was addressed within approximately one hour from when Google became aware of it. Please note that we have already taken action to protect all users, and no further action is necessary. To assist you in understanding what happened and better educating your users on email security, we are sharing details on how the campaign worked and how we addressed it.
The affected users received an email that appeared to be from a contact offering to share a Google doc. Clicking the link in the attacker’s email directed the user to the attacker’s application, which falsely claimed to be Google Docs and asked for access to the user’s account. If the user authorized the application, it accessed the user’s contacts for the purpose of sending the same message to those contacts. This access only retrieved contacts and sent the message onward—customer data such as the contents of emails and documents were not exposed.
Upon detecting this issue, we immediately responded with a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems.
We have taken the following steps to protect your users:
- Disabled the offending Google Accounts that generated the phishing link
- Revoked any access that the affected users authorized to the attacker
- Disabled the malicious projects and apps that sought access
In addition, Google is taking multiple actions to combat this type of attack in the future such as updating our policies and enforcement on OAuth applications, updating our email filters to help prevent campaigns like this one, and augmenting the monitoring of suspiciously behaving third-party apps that request consent from our users.
As a general precautionary measure, you may choose to take the following actions regularly for your users:
- Review and verify current OAuth API access by third-parties.
- Run OAuth Token audit log reports to catch future inadvertent scope grants and set up automated email alerts in the Admin console using the Custom Alerts feature, or script it with the Reports API.
We thank you for your continued business and support. If you have any questions, please let us know by contacting Google Support and referencing the issue number [removed].
The G Suite Team