Last week, I wrote a bit about the dangers of passwords and the relationship with the Google Docs phishing scam that recently broke. Today, I’m going back to the Google Docs issue, but to look at it from a different angle: how scammers continue to use social engineering so successfully.
An eSecurity Planet article touched on this:https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
Fidelis Cybersecurity threat research manager John Bambenek said by email that the attack is a stark reminder that criminals and nation states are targeting the one thing technology can't fix -- the user. "If you can trick the user into compromising themselves, you have no need for a zero-day," he said. "Security awareness and vigilance of end users are the key to the security of any system."
This echoes what Nathan Wenzler, chief security strategist at AsTech, told me in an email message. Hackers are using attacks such as ransomware and honed spearphishing campaigns to go after the weakest link: people, adding:
These attacks take advantage of social and emotional constructs to either fool the user into clicking on a link or a file that is malicious, or in the case of ransomware, appeal to the user's sense of ownership of their data and the desire to gain access to files which are important to them and may not be available anywhere else.
Someone recently asked what excites me about cybersecurity right now, and I said behavior analytics and how hackers use human behavior to manipulate their attacks, but also how security professionals can turn to behavior to better prevent attacks. In the Google Docs phish, the hackers not only turned to behavior to gain an edge, they also used the legitimate functionality within Google's infrastructure to provide a proper user login. They counted on the phishing recipients to simply react without thinking. And we should expect hackers to build on this type of attack vector, according to Simon Taylor, vice president of products at Glasswall, who told me in an email comment:
Cyber criminals know that productivity suites like O365 and Google, as well as dynamic documents and other types of shared files are the lifeblood of today’s internet users. This includes consumers and employees of massive corporations, and oftentimes, they’re one and the same. While the threat has reportedly been mitigated by Google, this will not stop the ever-expanding theme of clever phishing tactics by malicious actors.
What can you do to help your employees avoid phishing scams that are using the tools they use every day to conduct ordinary job duties? You know I’m going to say it’s time for security awareness training, specifically about this type of attack, and to always verify everything before clicking, especially if the request is out of the ordinary. In addition to that, Wenzler suggested that users should understand exactly how the software works:
Under normal conditions, Google Docs won't ask a user to provide access to Google Docs. It already has it, essentially, as that's the nature of signing up for the service. Users who know that something called "Google Docs" won't ask for access like this attack did would know that something is amiss and could stop before providing that access. Always take a moment to understand what your web-based applications are supposed to do, and if you see something abnormal, err on the side of caution and do not proceed.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba