Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.

We all get a little click-happy sometimes. We click “Agree” before reading the terms of service, we click “Okay” before reading the details of a new update and we click “Share” before reading the entirety of a news article (or if we don’t, we know someone who does). This click-happy habit may seem harmless, especially within the confines of a popular, verified site such as Facebook or Twitter. But earlier this month, many unsuspecting Google users received a wakeup call that may just put an end to careless clicking.

The Scam

The email, at first glance, looked like something routine—a friend from your contacts list sharing a Google Doc. Users who clicked the link to the Google Doc then came across another thing that may have seemed routine—an application, named “Google Docs,” asking for authorization to access your email account and contacts list. Not only did the request seem to come from a well-known, verified, Google-brand application, but the request itself was nothing out of the ordinary—many come across them all the time when taking the convenient route of registering for another site with an already established Facebook or Google account.

But what users didn’t see was that this “Google Docs” was not the actual secure and verified Google Docs app, and that the email wasn’t actually sent to them, but to the mysterious email address with themselves just blind copied.

The result of clicking the “Allow” button that would authorize “Google Docs” to access your account would be the unintentional spreading of a virus-like scam, because once “Google Docs” got into your account it automatically sent the same spoofed link to all of your address book.

The Aftermath

Google was quickly alerted to this apparent scam, which occurred on May 3, and was able to put an end to it in about an hour.

“We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems,” said a Google spokesperson about the incident. “While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.”

In other words, click-happy users got lucky. A Google spokesperson confirmed to Forensic Magazine that although the fake app may have gained authorization to “Read, send, delete, and manage your email,” as suggested by a screenshot included in a Reddit thread documenting the incident, no further information, such as the content of the emails on users’ accounts, was accessed by the scammer.

Google also said in a blog post following the incident that “fewer than 0.1% of our users were affected.” For reference, Gmail has over 1 billion users—0.1 percent of that would be about 1 million.

The Catalysts

This relatively harmless but high-profile, headline-generator phishing attempt came down to two major factors, according to cybersecurity experts I spoke with this week: the increased use of authorization mechanisms such as OAuth, which give third-party apps quick access to user accounts, and the social engineering of end users to click on unverified links against their best interest.

Abuse of OAuth

Jason Glassberg, co-founder and managing principal of Casaba Security, who also considers himself to be an “ethical hacker,” explained how the protocol called OAuth was used by the perpetrator of the Google Doc scam.

“OAuth is a very common industry standard technology that allows you to process a username-password combination to give you access to something, to assign you rights or to let you look at something,” Glassberg said.

OAuth allows third-party apps to access information from one’s account that may be needed to use the app, without giving the app the user’s username and password. If you’ve posted one of those funky “what animal are you” quizzes through an app on Facebook, or signed up for online shopping in just a couple clicks using your Twitter account, you have likely come in contact with the OAuth mechanism.

In some ways, this provides users with more security by not requiring them to give out their credentials to third parties. However, the scammer in this case took advantage of users’ familiarity and trust in this process—and in Google’s name—to spread a malicious code.

“They very cleverly were able to use Google’s own internal tools to make an application with the name ‘Google Docs’ and they asked you to give permission to this app so that you could open up this supposed Google document that was sent to you,” Glassberg further explained. “(Users) assumed they were opening up a real Google Doc—what they were really doing was giving permission for their address lists through this rogue or malware application, which then sucked up all of (their) address list and then replicated itself.”

By abusing the OAuth function, the scammer “infected” the users’ email accounts without them ever leaving the Google website.

“In a real twist, they were able to use Google, Google’s technologies, and Google’s systems against them,” Glassberg said.

Engineering of Users

The scammer also used users’ regular habits and instincts against them, according to Stu Sjouwerman, founder and CEO of KnowBe4, a company that promotes a “human firewall” approach to cybersecurity threats.

“We define social engineering, to keep it as simple as possible, as the bad guys manipulating someone to do something against their best interest,” Sjouwerman said. “Email at the moment is the number one infection vector of any kind of malware that penetrates a network, and obviously that requires a certain measure of social engineering.”

Sjouwerman explains that human error—user actions influenced through engineering by a scammer—can make otherwise secure situations unsafe, as users are tricked into welcoming malware with open arms.

“Google is not as safe as you think it would be if you social engineered a user to download seemingly a Google App, but in reality malicious code,” he said. “(Google has) an excellent name, and deservedly so, but even Gmail isn’t entirely safe if you use social engineering as your propagation factor.”

“An end-user who was trained to spot social engineering red flags would have thought before they clicked,” Sjouwerman wrote in his own blog on the incident.

The Lesson

“People need to be very careful in what they give permissions to because fortunately this particular Google Docs phishing attacks seemed to exist only to collect more email addresses, but it could have done much worse things in terms of collecting personal data,” Glassberg said. “So this is almost like a wakeup call for how serious these kinds of attacks can be.”

Glassberg says that just like two-factor authentication—using two factors to verify your identity when logging in—users should use a two-factor system for verifying email attachments they receive. 

"You need to verify that a) the person sent you this document and b) that the document is in fact a legitimate document and not a virus," he said.

Sjouwerman added, “You can’t rely on your software and hardware defenses, you have to have the human defense as well as part of your defense in-depth.”

He says this is especially important for larger companies and organizations, who can best train their employees through regular, simulated phishing attacks that will expose them to a range of red flags to look out for.

“There are no absolutes, you cannot ever get to zero, but you can get really close,” he said. “And so this is why we say you need to create a human firewall, which is your last line of defense.”