Google Docs Phishing, Because Some Days it’s Just Too Easy

EXPERT PANEL: Recorded on Tuesday, May 16, 2017

Eyal Benishti, CEO, IRONSCALES
Perry Carpenter, Chief Evangelist and Strategy Officer, KnowBe4
Jordan Wright, Senior R&D Engineer, Duo Security

Sean Martin, CISSP, Founder and Editor-in-Chief, ITSPmagazine

In this webinar, we discussed the current situation with a few experts to get their views on what's happening and what the impact is to society. Some of the topics we discussed include:

  • Overview of what happened (or is still happening)
  • How this threat is unique to other phishing schemes
  • How the industry responded and how crowd-sourced/social intelligence sharing saved the day
  • How to spot it before getting compromised
  • How it impacts businesses
  • The role of user awareness training in protecting against attacks in the future

With this awareness, hopefully we can continue to do our part to keep malware from people into click malicious links in their emails - even when the emails appear to be from friends and colleagues connected to Google Docs.

In addition to the Google Docs case, the panelists have agreed to briefly review the recent WannaCry case as well.


Additional Resources

The experts all provided some materials to help further the awareness and education surrounding this threat. You can find the full collection of resources here:


Question: Is it possible that the attackers are becoming so good that they do not need long term connections to achieve their needs?

Jordan Wright, Duo Security: It depends on the goals of the attacker. If the attacker has one task in mind and can rely on automation to execute that task quickly (such as extracting data or, in this case, sending emails), then persistent access to the account is not needed.

However, in traditional phishing attacks, credentials are stolen for the purpose of selling them to fraudsters later. The value of the credentials depends on them being valid to obtain access to the account.


Eyal Benishti, IRONSCALES: Yes, and this is why we must be able to detect and response quickly, some attackers will try and get ‘offline’ access as we see in rogue Android applications since they know users normally don’t read or understand the permission they grant different apps but sometimes they are just looking for some quick wins knowing they have a short time span, our job is to make it minutes and not hours/days/weeks.



Question: Do you think that gamification of the corporate training for security would improve the way people learn it?

Jordan Wright, Duo Security: Gamification has pros and cons. There is absolutely value in rewarding people for doing the right thing. By rewarding employees who report phishing emails, you can create a collaborative culture which puts the security admins and employees on the same team. This is the goal to strive for because employees will want to be the first to report a potential phish, lowering the overall detection time.

However, if gamification is taken to the extreme there can be potential downsides, especially if the validity or priority of the report depends on the "score" of the employee. It is possible that a severe phishing attempt is sent to an employee and the gamification system puts the report in a lower priority queue. This could result in a larger impact to the organization.


Eyal Benishti, IRONSCALES: Definitely, users (and especially the Millennials have a very short attention span, short/nugget gamified training is the only way to get their attention and cooperation. No more videos and dull e-learning sessions.



Question: Will we see an increase in Man-In-The-Browser? What are other ways in which OAuth can be leveraged to breach multiple platforms simultaneously?

Jordan Wright, Duo Security: OAuth access is restrained to a single service provider (in this case Google). That said, depending on the permissions granted, there can be cases in which attackers gain access to multiple services by the same provider (since they share authentication), or even edge cases where attackers can use their access to indirectly gain access to other services. For example, if I have access to email and can generate a password reset for another service, I can use that to takeover additional accounts.


Eyal Benishti, IRONSCALES: OAuth is an authentication and authorization method that doesn’t require handing over a  user/pass, which in turn gives a false sense of security. In fact most users don’t really understand the meaning of doing that and this is why it can be destructive.

Authorization of 3rd party application must be treated like a client application installation by all means.