Google Responds To Mass Phishing Attack

Earlier this week, roughly 1 million people fell victim to a phishing attack that offered total access to Gmail accounts. Google initially responded to the attack with a series of tweets, and now that the dust has started to settle, it's also published a blog post explaining how its systems protect you from phishing attempts. Yet questions still remain about how the company plans to prevent attacks similar to this one from reoccurring.

This particular attack worked by tricking people into clicking on what appeared to be a link to a Google Doc. The link opened a malicious app instead, and that app in turn requested permission to "read, send, delete, and manage your email" and "manage your contacts." But the request came from an app called "Google Docs," so combined with the email seeming to originate from the service, everything seemed to be above board.

That wasn't the case. Google Docs won't request permission to access your Gmail account--yet the sheer number of services that request access to Google, Facebook, and Twitter accounts has trained people to automatically grant those permissions without a second thought. Google said in its blog post that it stopped the phishing attack in one hour, but in that time it managed to affect 0.1 percent of its users, or roughly 1 million people.

Google has since been criticized for allowing this to attack to happen in the first place, especially since it was warned of this possibility all the way back in 2011. Thus, this blog post is less about Google bragging about how well it stopped this attack and more about making sure people still trust it. The company shared the following list of protections it uses to stop phishing attacks (and spam) from affecting those who use its products:

Using machine learning-based detection of spam and phishing messages, which has contributed to 99.9% accuracy in spam detectionProviding Safe Browsing warnings about dangerous links, within Gmail and across more than 2 billion browsersPreventing suspicious account sign-ins through dynamic, risk-based challengesScanning email attachments for malware and other dangerous payloads

Those protections weren't enough in this case, though. Google still managed to halt the attack in its tracks, and the company said it's "taken steps to re-secure affected accounts," but the fact that a malicious app tricked people into offering access to their accounts via Google's OAuth system using an email claiming to come from Google Docs that was sent to Gmail users still raises questions about how those services are safeguarded.

Google acknowledged those concerns and said it plans to prevent similar attacks in the future:

In addition, we’re taking multiple steps to combat this type of attack in the future, including updating our policies and enforcement on OAuth applications, updating our anti-spam systems to help prevent campaigns like this one, and augmenting monitoring of suspicious third-party apps that request information from our users.

The company also advised users to take a Security Checkup to make sure the only apps and devices allowed to access their accounts are legitimate, heed warnings and alerts shown in its products, and to report suspicious messages. Business admins were also told to turn on two-factor authentication for their employees, limit what information those employees are allowed to share, and running OAuth audit log reports.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • littleleo
    What is going to take to stop getting harassed with this crappy pop up ads? I thought if we created accounts and logged in we wouldn't be subjected to this crap. I'm so sick of reading an article and then screen goes black and some stupid useless ad for something nobody cares about or wants pops up and I have to scroll around to find the "X" to close it then scroll back down to try and find where I was before the crappy ad popped up and interrupted me. Stop this crap we don't need these stupid pop-up ads!
  • mwryder55
    This attack was not just sent to GMail users. Our company received several e-mails with the link to Google Docs. Fortunately, our users were smart enough not to open the e-mails.
  • Little Dot
    I just got my accounts back they are gone again. Google Plus and Viber it's very worrisome and frustrating
  • randomizer
    We're in real trouble when people aren't the slightest bit suspicious about requests to manage email so that they can view a document. Of course it's likely that nobody read the message in the first place.
  • RomeoReject
    Yeah, Tom's is getting horrible for ads. I don't ever run adblockers, because I believe in free internet, but I'm starting to visit the site less often, because it has become a chore just to read the damn articles.
  • hellwig
    Oh, late to the party.

    Well, anyway, this statement is meaningless:
    "Using machine learning-based detection of spam and phishing messages, which has contributed to 99.9% accuracy in spam detection"

    I could block 100% of spam, if I blocked 100% of messages? I'm tired of having to sift through my spam folders to make sure real emails (important or not) haven't been marked as spam.

    Based on my own email account, it's not 99.9% accurate. Not a lot of spam makes it through, but too much stuff marked isn't actually spam.