Google bolsters security to prevent another Google Docs phishing attack

Google

Google bolsters security to prevent another Google Docs phishing attack

It's about to get really difficult to accidentally fall for a phishing attack.

By Zack Whittaker for Zero Day | July 18, 2017 -- 17:00 GMT (10:00 PDT) | Topic: Security

Google is adding a set of features to its security roster to prevent a second run of last month's massive phishing attack.

The company is adding warnings and interstitial screens to warn users that an app they are about to use is unverified and could put their account data at risk.

This so-called "unverified app" screen will land on all new web apps that connect to Google user accounts to prevent a malicious app from appearing legitimate. Any Google Chrome user landing on a hacked or malicious website will recognize the prompt as the red warning screen.

Some existing apps will also have to go through the same verification process as new apps, Google said.

Google also said it
will add those warnings to its Apps Scripts, which let Google use custom macros and add-ons for its productivity apps, like Google Docs.

"These new notices will inform users automatically if they may be at risk, enabling them to make informed decisions to keep their information safe, and will make it easier to test and develop apps for developers," said Google.

In case you missed it: Gmail users were hit by a new kind of phishing attacklast month that masqueraded as a document stored in Google Docs. The attack worked by tricking users into thinking the email came from a person known to the recipient. When the link to the purported document was opened, a page pointing to a Google-hosted fake app named "Google Docs" would ask for that person's account permissions -- including contacts -- which would be used to email everyone in the person's contacts list.

Are IT house calls burning up your work hours?

A key advantage of delivering support involves the ability to be in two places at once. Not only does it help ease the burden of troubleshooting issues, but it can reduce the time to resolution by removing the need for in-person IT house calls. How...

Downloads provided by SolarWinds

News of the attack spread like wildfire, even though Google said that only 0.1 percent of accounts were affected.

The company also tightened the screws on policies and enforcement on OAuth applications that use the Google platform.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.