Game News and Information Technology – A phishing scam that emerged earlier this week using Google Docs in an attack on at least 1 million Gmail users.
However, that means less than 0.1 percent of Gmail users are affected, according to the company.
Google last year put the number of active Gmail users monthly at more than 1 billion.
Google turned off phishing scams within an hour, he said, through automatic and manual actions. It removes fake pages and applications, and pushes updates through Safe Browsing, Gmail and other anti-abuse systems.
Users do not need to take action on their own, Google said, but those who want to review third-party applications linked to their accounts can do so on the Security Check site.
Google Checks Anti-Phishing Security
Coincidentally, Google this week introduced a new anti-phishing security feature to Gmail on Android. The new tool provides a warning when a user clicks a suspicious link in an email message, informing them that the site they are trying to visit has been identified as a forgery. Users can withdraw or continue to the site at their own risk.
Google is gradually rolling out this new feature to all G Suite users.
How document attacks go down with Google
This week’s Docs attack is an effective approach to luring users before Google pinning.
People get an email from someone they know invites them to click a link to collaborate on Google Docs.
Clicking the “Open in Document” link directs them to the Google OAuth 2.0 page to authorize the Google Docs application, which is fake.
Also Read Kingdom Heart 3 will come out in 2018
The application states that Google Docs wants to read, send, delete and manage recipient email and manage their contacts – a common request for some applications that use Google as an authentication mechanism.
Once permission is given, the attacker gets access to the victim’s address book, which allows the attack to become a virus quickly.
The attack utilizes OAuth, “a ubiquitous industry standard protocol [which provides] a secure way for applications and Web services to connect without requiring users to share their account credentials with the application,” said Ayse Firat, director of analysis and customer insight at Cisco Cloudlock.
“Because it is universally adopted by almost all Web-based applications and platforms – including consumer and enterprise applications such as Google Apps, Office 365, Salesforce, LinkedIn and many others – this provides a broad surface of attack,” he said. TechNewsWorld.
OAuth 2.0 is very sensitive to phishing because every website that uses it asks end users to enter their master username and password. Cisco CLoudlock has identified more than 275,000 OAuth applications that are connected to core cloud services, such as Office 365, compared to only 5,500 three years ago.
OAuth-based attacks “bypass all layers of standard security, including next-generation firewalls, secure Web gateways, one ID, multifactor authentication and more,” Firat warned.
Forecast Using OAuth
With software vendors increasingly implementing their applications in the cloud, how much risk is causing OAuth vulnerabilities for end users?
“Most cloud services are quite safe, and OAuth-based attacks are unlikely to work if they depend on the protocol being secured,” said Michael Jude, a program manager at Stratecast / Frost & Sullivan.
Also Read Nintendo’s Queue Line Surprising E3 2017
OAuth authentication “is bigger than an online application,” he suggested. “This is also a basic protocol that can be important on social media. Improve your business with social media management services from Deluxe’s efforts to be more similar to public transport operations for communication.”
OAuth “must be done properly, or there is no future for communication services mediated by social media,” Jude warned.
Protects Against OAuth-based Attacks
Organizations need to develop high-level strategies and specific application usage policies to decide how they can whitelist or ban applications, and share this vision with their end users, Firat suggested.
Individual users should log into their Google account security settings and revoke permissions for applications that they don’t know or trust, he advises. They also “may not give permission to applications that request excessive access.”
Efforts have been launched to incorporate more stringent security requirements into OAuth, said Jude of Frost, “but I have never heard of certain availability.”