Two days ago, there was a large phishing scam that plagued the internet. It was a Google Doc phishing attack perpetrated via Gmail. On Wednesday, a worm in the form of an email arrived in a lot of Gmail users' inboxes from contacts they knew. The email stated that a Google Doc document had been shared with them.
Email claiming a document had been shared
If the user clicked the link to open the document, it immediately redirected the user to a Google account selection screen for authorization.
Google Account Selection Screen
Phishing (or malware) Google Doc links that appear to come from people you may know are going around. DELETE THE EMAIL. DON'T CLICK. pic.twitter.com/fSZcS7ljhu
— Zeynep Tufekci (@zeynep) May 3, 2017
If the user gave the fake app posing as Google Docs permission, it had the ability to read, send, delete and manage your email. It also had the ability to manage your accounts. These permissions allowed the worm to replicate itself by sending itself to all your contacts.
Just got this as well. Super sophisticated. pic.twitter.com/l6c1ljSFIX
— Zach Latta (@zachlatta) May 3, 2017
Swift Combat Action From Google
Once Google got wind of this phishing scam, they swept into action by disabling the malicious accounts, removed fake pages and pushed updates through Safe Browsing to users within an hour. It is highly commendable that Google nipped it in the bud early enough.
Googlers taking charge
What to Do if You Granted Permission
If you already gave the fake Google Docs app permission, here is how to protect yourself.
- Head over to https://myaccount.google.com/permissions.
- Find the app named Google Docs.
- Revoke the permission by clicking the Remove button.
How to Avoid Phishing Scams
Phishing scams have been around for a long time and they aren't going anywhere soon. Just last year, there was a case of a hacker who stole nude pictures from celebrities via a phishing scam that targeted iCloud accounts.
Here are a few tips to help you avoid falling victim to these scams.
- Look out for fake and forged Sites: Verify that the site is secure by ensuring that the URL starts with https:// instead of http. Look out for typos in the site name and URL.
- Install an anti-phishing toolbar: You can install these toolbars on your Internet browsers. They check the sites that you are visiting and compares them to lists of known phishing sites.
- Beware of links and attachments in your emails: Before you click on a link in your email, hover over it and check if the link actually links to a legitimate secure site. Don't click on links that appear in random emails and instant messages.
- Regularly update your browser.
- Beware of pop ups: Virtually all browsers allow you to block pop-ups, so you can set that as the default action. You can allow pop-ups sparingly when you actually need them.
Aside: Implementing API Authorization with Auth0
This phishing attack took advantage of the OAuth protocol, a convenient way for internet accounts to link with third-party applications. Users don't have to hand over any password information. They just grant permission to a third party app.
One of the features Auth0 provides is API Authentication and Authorization using the OAuth 2.0 authorization framework. Auth0's API authorization features allow you to manage the authorization requirements for server-to-server and client-to-server applications. If you want to use Auth0 authentication to authorize API requests, note that you'll need to use a different flow depending on your use case.
In addition, our ODIC Conformant Authentication pipeline allows you to create third-party clients for your APIs and display consent dialogs for authorization.
If a user is authenticating through a third-party client and is requesting authorization to access the user's information or perform some action at an API on their behalf, they will see a consent dialog like so:
Consent Dialog
If the user chooses to allow the application, this will create a user grant which represents this user's consent to this combination of client, resource server and scopes. The client application will then receive a successful authentication response from Auth0. However, if a user decides to reject consent to the application, they will be redirected to the
redirect_uri
specified in the request with an access_denied
error like so:HTTP/1.1 302 Found Location: https://fabrikam.com/contoso_social# error=access_denied &state=...
Auth0 provides the simplest and easiest to use user interface tools to help administrators manage user identities including password resets, creating and provisioning, blocking and deleting users.
Conclusion
At Auth0, we are passionate about security. I hereby recommend this personal information security identity guide for you, your friends and family. Take the time to go through this guide and protect yourself from cybercriminals and phishing scams.
About the author
Prosper Otemuyiwa
Former Auth0 Employee