Google is rolling out a new anti-phishing feature in Gmail on Android that stops users immediately proceeding to a page if they click a suspicious link.
The new feature is designed to make it easier for Android users to protect themselves from scammers and criminals who use email to pick up logins, identity details and financial information.
Starting this week, if you click on a suspicious link in Gmail on Android, the app will present a red warning stating that “the site you are trying to visit has been identified as a forgery, intended to trick you into disclosing financial, personal or sensitive information”.
It doesn’t prevent access to the page but displays the destination URL and cautions that you can proceed at your own risk. It also contains a link to report an incorrect warning.
“While not all affected email will necessarily be dangerous, we encourage you to be extra careful about clicking on links in messages that you’re not sure about. And with this update, you’ll have another tool to make these kinds of decisions,” Google notes.
In response to yesterday’s Docs phishing attack, Google has posted a warning on its Gmail Help page encouraging affected users to complete its Security Checkup. The relevant section to check is account permissions.
As noted by the SANS Internet Storm Center, the phishing attack abused OAuth, a framework that Google, Microsoft, Twitter, Facebook and others use to connect third-party apps with their services.
Gmail users can, for example, authorize Microsoft Outlook to read, send, delete, and manage Gmail messages. The Outlook app is then issued a token, providing it with ongoing access for these actions until revoked by the user.
It’s a useful process for connecting different accounts, but users can be tricked into granting access to a malicious app, as happened yesterday. Having an access token is a powerful tool since it operates separately to the login process and hence can’t be prevented by two-factor authentication.
The attacker in this case sent phishing emails with a bogus Open in Docs icon that leads users to Google’s real OAuth service where the attacker’s app, which was fraudulently named Google Docs, requested permission to “read, send, delete and manage” victims’ Gmail messages.
The attacker then used the access token to send the same phishing email to the victim’s contacts.
Trend Micro’s Mark Nunnikhoven said the attack was “extremely clever” because it’s difficult to filter email with a legitimate Google URL.
“The URL can’t be blocked because it’s a legitimate domain, owned and controlled by Google. Defending against this attack relies entirely on the user,” he noted.
However, Google has blocked the bogus Google Docs application.
Trend Micro found the same technique recently being used by the advanced hacking group Fancy Bear, also known as Pawn Storm or APT28, which has been blamed for the Democratic National Convention hacks and several other high-profile breaches.