Weekly podcast: Google Docs, $100 million phishing campaign, Intel critical vulnerability

This week, we discuss a new Google Docs spam campaign, name the companies involved in a $100 million phishing scam, and discuss a seven-year old Intel vulnerability.

Hello and welcome to the IT Governance podcast for Friday, 5 May 2017. Here are this week’s stories.

You’ll probably have seen a Google Docs phishing scam getting a lot of media attention this week – in large part because many journalists fell victim to it. Despite some claims that it was sophisticated, the scam was actually pretty simple in execution: victims received an email from one of their contacts, inviting them to view a file on Google Docs. When they clicked the link, they were taken to a legitimate Google login page asking them to allow an app called ‘Google Docs’ to access their Google account. Doing so granted the app permission to read, send, delete and manage their Gmail, and manage their contacts.

The problem was it wasn’t Google Docs, but a rogue app with nothing to do with Google. And once victims had allowed it to access their accounts it spammed everyone in their contacts with the same email. According to Google, 0.1% of Gmail users were affected before the spam campaign was shut down. This amounts to 1 million compromised accounts, based on Google’s 2016 earnings call in which it announced that Gmail had 1 billion active users.

On Wednesday night, Google said, “We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail. If you think you clicked on a fraudulent email, visit g.co/SecurityCheckup and remove apps you don’t recognize.”

I imagine Google will also be reconsidering the wisdom of letting third-party apps use the Google name.

Talking of Google and phishing, you may remember that in March I reported that a Lithuanian man – 48-year-old Evaldas Rimasauskas from Vilnius – had been arrested for orchestrating a phishing scam that duped two unnamed US-based Internet companies – one a multinational technology company and the other a social media company – out of $100 million. Those companies have now been named by Fortune magazine as Google and Facebook.

Rimasauskas registered a company in Latvia with the same name as an Asian computer hardware manufacturer, and opened various bank accounts in its name in Latvia and Cyprus. He then sent phishing emails, masquerading as legitimate emails from the hardware manufacturer, to employees at Google and Facebook to induce them to wire him a total of $100 million, which he then immediately transferred to accounts in various locations throughout the world, including Latvia, Cyprus, Slovakia, Lithuania, Hungary and Hong Kong.

A Google spokesperson said: “We detected this fraud against our vendor management team and promptly alerted the authorities. We recouped the funds and we’re pleased this matter is resolved.”

Facebook, meanwhile, commented: “Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation.”

Phishing is a big problem for every organisation. If you want to keep your organisation safe, you should consider carrying out phishing staff awareness training and a simulated phishing attack.

Intel has acknowledged a critical vulnerability (labelled CVE-2017-5689) that has been present in some of its chips for seven years. Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT) firmware versions 6 to 11.6 are all affected. Intel-based consumer PCs are not.

According to an Intel security advisory, the vulnerability “can allow an unprivileged attacker to gain control of the manageability features provided by these products.”

Maksim Malyutin of Embedi first discovered the vulnerability. In a news article about the issue, Embedi was at pains to point out that, although there’s been “a tremendous amount of baseless assumptions being floated around by some media outlets ever since the news was released”, the vulnerability was nevertheless “a serious threat” and that firmware updates would take “an extremely long time to test” before being deployed to users. Until they are released, admins are advised to consult Intel’s Mitigation Guide.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

And don’t forget that IT Governance’s May book of the month is EU General Data Protection Regulation – An Implementation and Compliance Guide, an in-depth guide to the changes your organisation needs to make to comply with the GDPR before its enforcement next May. Save 10% if you order by the end of the month.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.