Google Docs Account Takeover Worm

Agari Email Trust Network Analysis

Exploring the Attack & Recommended Actions

On May 3rd, 2017, cybercriminals launched a large scale phishing worm that executed account takeovers to compromise Google Gmail and G Suite email accounts. The attack enticed users to authorize a malicious application appearing to be Google Docs to take over the victim’s email account. This attack was only successful if all of the following apply to you or your organization:

  1. You or your organization use Gmail or G Suite
  2. The victim clicked on the email link
  3. The victim authorized a third-party app called “Google Docs”

When successful, the victim granted access to the rogue “Google Docs” app which allowed the criminal to access the victim’s email account and then replicate the attack to the victim’s address book. At approximately 2:15 pm PT on May 3rd Google removed the rogue “Google Docs” application which prevented criminal access to victims’ compromised accounts.

What could these Cybercriminals do with this access?
While we haven’t seen reports of fraud yet, the cybercriminals who launched the attack have access to all of the victims’ emails until the app is disabled. With that access, the criminals can use your identity to scam co-workers or relatives, reset your bank account password and steal money or harvest information to steal the victim’s identity. There are an infinite number of ways a cybercriminal can monetize this kind of access.

Predictions About Future Attacks
This is likely the first of a new breed of attack. Next time, the attacker might be smarter and only mine the information while propagating slowly enough not to get caught the same day. Other email systems such as Office 365 have similar app plugin systems that could be used to mount similar attacks on larger enterprise organizations. I also believe we will see an increase in targeting to make attacks more credible; whether using account takeover (ATO), social networks, or just publicly available information. As a result, more emails will look “right” to the victim and fewer malicious emails will be reported. This will hamper traditional blacklisting-based methods, which depend on reporting.

Agari’s analysis and recommended actions are available in the Attack Brief below.