Many Gmail users were sneakily conned on Wednesday, May 3, as they fell victim to a Phishing Attack. The users were tricked into giving up their Gmail account credentials thanks to fake Google Docs that were sent as attachments inside the malicious emails. The phishing emails came from the victim’s known Gmail contacts, which were accounts that were already compromised by the hack.

How do the phishing emails work?

The malicious e-mails which went around globally for three hours before Google stopped them, basically invited the victim to open an attachment, which at a moment’s glance looked like a Google Doc.

Given that the e-mail came from a known contact – a compromised account in the hack process -- the recipient may proceed to open the fake Google Docs. In reality the attachment was a link that redirected the recipient to a dummy application, which requests the user to grant it permission to access their account.

Given that the dummy application sports the name “Google Doc,” and asks the victim to grant access via the actual login id, one seldom thinks twice before giving up credentials. The hackers were able to do this by tapping into the OAuth protocol pathway used by Facebook, Google, and Twitter to connect their services with other third-party apps.

OAuth protocol

The OAuth protocol does not pass any information regarding the password or any other personalized data.

However, it uses some access token that can be used to open various accounts. Taking advantage of this feature of the OAuth protocol, the hackers behind Tuesday’s phishing attack developed a fake third-party application that uses the Google login process to gain access.

Trend Micro’s VP Mark Nunnikhoven let on that the hack was pretty clever and would take advantage of the option to link one’s “Google Account to a third-party app.”

The attack was sneakily designed, as tapping into the OAuth protocol would grant the hackers the ability to skip Google’s two-step verification, which would have definitely ruined the attack.

How to bypass the attack?

One just needs to keep their eyes and ears open in order to detect this phishing scam. The first clue that hints at the email being fake is the recipients’ address location. If observed carefully the recipient of the malicious mail will be able to see that the he or she has been kept in the BCC field, which would be a weird thing to do.

Secondly, the recipient will also see that the only other visible address other than theirs is “hhhhhhhhhhhhhhhh@mailinator[.]com” which should definitely alert anyone who handles mail on a daily basis. If these signs are in the e-mail, it’s definitely the one sent by hackers.