By Carolyn Crandall
Yesterday, a huge outbreak of phishing emails was discovered around 11:30 PT when an unknown organization sent out emails saying that someone from the recipient’s contacts list shared a Google document with them. A Google spokesperson said that the company has disabled the accounts where the hack originated. The attack affected approximately 1 million accounts, and hopefully none of your employees were one of them. Here is what Google put out late last night:
“We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.”
By now, the damage has been done for anyone who was “hooked” and you have alerted the company on what they should do if they were. This is a great opportunity to capitalize on what you have been doing to educate your employees. Since phishing is a socially engineered attack, this is a good reminder for them that the best defense in these cases is a well-educated staff. If you are like most security executives, emails and reminders to the company on best practices often are ignored and rarely internalized. So, a huge, well publicized attack like this is a chance to remind everyone that you have been and will continue to provide training and information on aspects of security only they can use to keep the company safe. According to the Anti-Phishing Working Group, 100,000 new phishing attacks get reported every month, and thousands of people fall for them. Above all, you should remind them that when it comes to their email they can’t really trust anything.
Here are five tips to help individuals be more prepared to handle phishing attempts:
- Report suspicious emails.
If they don’t recognize the sender, forward the email to IT. There are a number of tools that can help here. In the case of Attivo Networks customers, it is easy. As part of the ThreatStrike End-Point Suite there is a button that can be placed on a user’s email dashboard that allows them to forward the email to IT with one click. The BOTsink Deception Server includes an attack analysis engine that automates the checking of email for malicious URLs and attachments. The information found can then be applied to strengthen an organization’s defense against the attacker.
- Don’t fall for it
There is no scenario where a reliable email will ask them to send their passwords or personal information. They should never respond to these questions, and if they have the slightest doubt, send the email on to you for examination. It shocked me that at the recent CSO50 conference a presenter shared that his organization, that actively educates their team and uses fake phishing emails to test their employees, still has 2% of the recipients fall for these fake emails and enter data that they shouldn’t.
- Never click on links included in emails
Do not click on hyperlinks or links attached in the email, as it might direct them to a fraudulent website. They should type in the URL directly into their browser or use bookmarks / favorites if they want to go faster. In order for a site to be ‘safe’, it must begin with ‘https://’ and their browser should show an icon of a closed lock.
- Phishing has no boundaries
They can reach your people in any language. In general, they are poorly written or translated, so this may be another indicator that something is wrong. In the case of this phishing attack, the “To:” field populated by “hhhhhhhhhhhhhhhh” should have raised suspicion.
The emails will not always appear like they are from a Gmail account. The email I received appeared like it was from Salesforce and looked like this:
- Beware of a sense of urgency
A piece in Wired magazine last month (that I encourage you to read) had a great quote from Trevor Hawthorn, the chief technology offer at Wombat Security, that works on phishing and security awareness. “We’re conditioned to try to help people and be nice. You don’t want to seem rude or defensive,” he says. “But one of the most important things people can do is when something is being asked of them, when there’s some sort of call to action, think about the context of what the sender is asking you to do. If there’s a sense of urgency that’s when I would be a smart skeptic and slow down.” This takes practice. Wombat has found that when people do consistent anti-phishing training—say, once a month—they are better at avoiding phishing links than when they haven’t had lesson in a few months.
What to do if you think your account has been compromised:
If you think your Google account has been compromised you can go to https://myaccount.google.com/u/0/permissions to check what apps have authorized access.
If you see a “Google Docs” app authorized recently, remove it as well as any other apps you don’t recognize.
Google also recommends completing a security checkup to confirm there hasn’t been any suspicious changes or activity by visiting https://myaccount.google.com/secureaccount.
Constant education on safe habits is critical and pointing out the new phishing techniques being developed, you will provide them with information on the types of attacks and how best to avoid falling prey. Education is critical, but in reality, we are human and as such, prone to make mistakes. With this in mind, security must also maintain the right defense to detect these incidents early, before the attacker has time to successfully launch a full-scale attack.