[CCoE Notice] Google Docs Phishing Campaigns Targeting MS-ISAC Members

Luong, Kiet A KDLuong at Central.UH.EDU
Thu May 4 12:19:02 CDT 2017 

Good afternoon,

I received this alert from the campus IT Security team, and wanted to pass it along to all of you.  Please read carefully and be mindful of this and other similar phishing email scams out there, waiting to trick you into clicking on a suspicious link or attachment that should have been reviewed more carefully.  Please pass this message to students in your areas as well, as they may not be as aware of phishing scams as you all are.

I’m sure IT Security is doing their best to filter out this email from the email server, but let’s do our part by practicing more due diligence to protect ourselves in the meantime.

Thanks,

Kiet Luong
Director of Engineering Computing
College Information Security Officer
Cullen College of Engineering
University of Houston
Email: KietL at uh.edu
Voice: 713.743.9974

We did have reports of this message being received here at UH, and at other universities nationwide, but we have no indication of any compromises due to the message here at UH.

SUBJECT: MS-ISAC CYBER ALERT – Google Docs Phishing Campaigns Targeting MS-ISAC Members

On May 3, 2017, the Multi-State Information Sharing and Analysis Center (MS-ISAC) received reporting from five states regarding a Google Docs phishing email campaign. The details of the attack are as follows:
·         The email body states “[name] has invited you to view the following document:” and includes a link to “Open in Docs”. The link opens to a legitimate Google login page.
·         Once the recipients enter their credentials or select an account, a permissions box for a fraudulent application hosted at hxxps://googledocs[.]g-docs[.]win requests access to the user’s address book and email.
·         Once the victim clicks “Allow” this provides the attacker access to their email account and address book but not their calendar. The attacker can then send phishing emails to other targets from the compromised account.

According to open source reporting, individuals and several private sector entities are receiving these emails as well, and this campaign is not specifically directed at SLTT governments. It is likely that the use of address books results in individuals in similar industries receiving emails from colleagues in their sector. For this reason, many of the phishing emails reported to the MS-ISAC appear to be sent from addresses belonging to state, local, tribal, and territorial (SLTT) government and educational entities. If you receive similar emails, do not click on any links and delete the email immediately.

Per a trusted third party, Google is aware of the campaign and has identified it as an Oauth exploit. Google has blocked the sender and users should receive the Google 404 error if they click on the link. Google is in the process of shutting down the sender's site.

RECOMMENDATIONS:
We recommend the following general best practices, to limit the effect of phishing emails and scams on your organization:
1.      Remind users not to open suspicious emails or attachments, or follow suspicious links, as they may contain malware.
2.      Implement filters at the email gateway to filter out emails with known phishing indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.
3.      Adhere to the principal of least privilege.

If a user granted permissions to their account, these permissions can be revoked at the “Connected Apps and Sites” page of Google’s Account Settings. The user’s password should also be reset.

If you experience similar targeting, please report the email to the MS-ISAC SOC at SOC at msisac.org<mailto:SOC at msisac.org>.

The MS-ISAC is interested in your comments - an anonymous feedback survey is available at: https://www.surveymonkey.com/r/MSISACProductEvaluation.

24x7 Security Operations Center
Multi-State Information Sharing and Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061
SOC at cisecurity.org<mailto:SOC at cisecurity.org> - 866.787.4722

[cid:image001.png at 01D2C439.2B94D5C0]<https://msisac.cisecurity.org/>
       [cid:image002.png at 01D2C439.2B94D5C0] <https://www.facebook.com/CenterforIntSec>     [cid:image003.png at 01D2C439.2B94D5C0] <https://twitter.com/CISecurity>    [cid:image004.png at 01D2C439.2B94D5C0] <https://www.youtube.com/user/TheCISecurity>     [cid:image005.png at 01D2C439.2B94D5C0] <https://www.linkedin.com/company/the-center-for-internet-security>


TLP: WHITE
Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.
https://www.us-cert.gov/tlp/
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://Bug.EGR.UH.EDU/pipermail/engi-dist/attachments/20170504/02557ff0/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 8825 bytes
Desc: image001.png
Url : http://Bug.EGR.UH.EDU/pipermail/engi-dist/attachments/20170504/02557ff0/attachment-0005.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1896 bytes
Desc: image002.png
Url : http://Bug.EGR.UH.EDU/pipermail/engi-dist/attachments/20170504/02557ff0/attachment-0006.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 2180 bytes
Desc: image003.png
Url : http://Bug.EGR.UH.EDU/pipermail/engi-dist/attachments/20170504/02557ff0/attachment-0007.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1893 bytes
Desc: image004.png
Url : http://Bug.EGR.UH.EDU/pipermail/engi-dist/attachments/20170504/02557ff0/attachment-0008.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2062 bytes
Desc: image005.png
Url : http://Bug.EGR.UH.EDU/pipermail/engi-dist/attachments/20170504/02557ff0/attachment-0009.png

More information about the Engi-Dist mailing list