Image
How it Worked
It went like this: Millions of Google users received a wholly legitimate looking email with the subject line "[Sender] has shared a document on Google Docs with you." The email, in addition to looking like a Google-generated message, appeared to come from someone the receiver knows. This screen grab GizModo posted shows an example of what the from and subject line fields of the phishing email looked like:Image
The Silver Lining
The Google Docs phishing attack of 2017 gripped much of the online world for a good two days or so, but it really could not have ended better. For one, Google’s security team snapped into action almost as soon as the attack was reported. As CSO Online staff writer Steve Ragan tells the tale:“On Reddit, around the time the attack hit its peak, a user posted a full outline, warning others about the situation. Within moments, a staffer at Google took notice and passed the details over to engineering, who said they expected a fix within an hour.”Second, the experience was a textbook example of threat sharing writ large. Dozens of my Facebook friends took it upon themselves to share screenshots of the suspicious emails and login screen warning others to beware. It didn’t take long for InfoSec news sites to catch wind of the scam, with articles and blog posts hitting the web explaining the timeline of the attack and what users could do to thwart it.
Toward a Security-Aware Culture
The discussions occurring across my social media feeds immediately made me think of the noteworthy phishing emails my coworkers have received in the last few months. They’ve come in a wide variety, from R-rated advertisements for various sorts of female “services” to f-bomb laden threats of legal action. The commonality, though, is how quickly word of all these attacks spread around the office. From a security awareness perspective, these are exactly the conversations employees should be having about cyberthreats. These conversations prove that a truly security-aware culture has been achieved. We’re not the only ones thinking this way. Security awareness guru Lance Hayden, writing in CSO Online, shared a story about the heightened level of security awareness the Google Docs phishing scam revealed at his company. He runs the company’s security awareness efforts, which include simulated phishing attacks, and was thrilled to report how quickly his employees spread word of the scam.“Watching my own team go from limited awareness to spontaneous security conversations without my intervention was awesome, and showed that our awareness efforts are working,” Hayden wrote.
Security Awareness Goes Mainstream
Now of course, an increased level of threat awareness on the part of the original clickers (patients zero through 20, say) could have likely stopped the Google Docs attempt in its tracks. But that’s no reason to downplay the positive impacts the attack did have. Those folks have likely been added to the ever-growing number of people who are phish-proof. This sort of attack is unlikely to be the last of its kind. For that reason alone, it should be remembered as a cautionary tale. But it should not stop there. In a perfect world for those tasked with improving security awareness, May 3 would become a global Security Awareness Day. A commemoration of the day the global Internet community became more security aware. A commemoration of the day security awareness became mainstream. Will you and your organization celebrate going forward?Image