Lessons Learned from the Gmail Phishing Incident
Recently there has been a lot of news stories and social media postings regarding a new Gmail phishing campaign. This campaign sends an email to Gmail users as an invitation to edit a Google Doc that uses an actual Google sign-in page in order to gain access to the user’s contact list. Once the user opens the Google Doc they are then prompted to give permission to the app, which fraudulently identifies itself as Google Docs in order to send the same invitation to the user’s entire contact list. And the cycle repeats.
While you might feel that you are properly prepared to defend yourself from phishing emails, this specific campaign highlighted how sophisticated these phishing campaigns have become. Whereas most phishing emails look illegitimate at a glance to a seasoned eye, this campaign used Google's own software in the form of “OAuth” as a means to gain access to user contact lists as well as create an authentic appearance and user experience.
While this new phishing campaign has seen much success, it has led many people to reevaluate how they verify the legitimacy of an email. One of the main ways that you can always verify the authenticity of an email is through the sender. In this campaign, the hacker did not attempt to have a convincing username, but in many others, slight discrepancies in spelling can be the difference between a safe and a compromised device.
For more specific details about the attack click here.