Secure Your Online Banking in 5 Steps

So, you’ve opened a new bank account, credit card, or investment account. Almost every financial institution under the sun now offers online banking, and each has its own enrollment process. No matter the specifics, make sure to do these 5 things when signing up and getting your new account ready.

  1. Choose a secure password and a unique username. Many online banking platforms mandate strong passwords, but they can’t detect if you have reused the password elsewhere. Never reuse a password. This opens you up to credential stuffing attacks. Come up with a complex password, with upper and lowercase, special characters, and save it in your password manager.
  2. Enable two-factor verification. Your options will vary here, but almost every service supports text message, phone, or OATH-TOTP based two-factor verification. This provides an extra layer of security that can stop an attacker from utilizing a compromised password. Prefer app-based methods (Google Authenticator, Authy, etc) over telephony-based as intercepting SMS or calls is a real risk and surprisingly easy to do.
  3. Set up account alerts. Check your options for receiving alerts. Most accounts have these disabled by default, except for very important alerts, to avoid overwhelming consumers. Review your account’s alert options, and consider enabling text message alerting if supported.
  4. Turn on paperless statements and review them regularly. Signing up for eStatements is not only environmentally friendly, but it also reduces the amount of sensitive information you have lying around in hard-copy form. The convenience afforded will make it easier to regularly review and catch a fraudulent transaction in time, or dispute an error.
  5. Call Customer Service and request a pin or password be required to your account for support calls or tickets. Social engineering attacks are becoming more widespread. It’s surprisingly easy to impersonate you, using publicly available information, and persuade Customer Service to grant unauthorized access. This isn’t a surefire fix as it depends on Customer Service actually honoring and confirming the pin every time, but it can cut down the risk a lot.

Each of these steps incrementally improves your account security and together will greatly reduce the risk of compromise. Change your passwords regularly and use a password manager for everything.

What is googledocs.g-cloud.pro? May 2017 Google Apps Worm

Example of Google Docs/Gmail Phishing Email
screenshot courtesy of /u/JakeSteam

How do I revoke access to this worm?

There is an emerging Reddit thread about this issue that may contain more up-to-date information as the situation develops: https://www.reddit.com/r/google/comments/692cr4/new_google_docs_phishing_scam_almost_undetectable/

Per Reddit user JakeSteam, take the following steps:

  1. Revoke access to “Google Docs” immediately. The real one doesn’t need access.
  2. Try and see if your account has sent any spam emails, and send a followup email linking to this post / with your own advice if so.
  3. Inform whoever sent you the email about the spam emails, and that their account is compromised.

What data has been compromised?

If you authorized the fake “Google Docs” application, an unknown attacker may have access to the following:

  • Ability to manage your contacts (read/write)
  • Ability to read, send, delete, and manage your email

In theory, this means it is possible everyone affected has had their entire inbox scraped for passwords or other credentials. While this cannot be ruled out since the application gained full access to Gmail, I personally believe this to be unlikely. This was a fast-moving worm and some Gmail users have many gigabytes of mail stored. To scrape all of this mail would greatly slow down the spread of this worm, since the malicious server would be spending time exfiltrating data, not propagating.

Just because it is unlikely all your mail has been stolen doesn’t mean it hasn’t been. I would encourage rekeying any systems with credentials stored in your mailbox.

What is https://googledocs.g-cloud.pro/g.php and how did I authorize it?

You may have received an email like the following – a near-perfect imitation of the real Google Docs sharing notification. If you clicked on “Open in Docs” and proceeded to authenticate, your Gmail account may be compromised.

This phishing email uses OAuth and a convincing bait email to get access to your emails and address book, then send more phishing on your behalf.

The initial phishing email was sent to the address “hhhhhhhhhhhhhhhh@mailinator.com” and would Bcc the target. It included a link like this:

hxxps://accounts.google.com/o/oauth2/auth?client_id=346348828325-vlpb3e70lp89pd823qrcb9jfsmu556t8.apps.googleusercontent.com&scope=https%3A%2F%2Fmail.google.com%2F+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts&immediate=false&include_granted_scopes=true&response_type=token&redirect_uri=https%3A%2F%2Fgoogledocs.g-cloud.pro%2Fg.php&customparam=customparam

This authorizes 346348828325-vlpb3e70lp89pd823qrcb9jfsmu556t8.apps.googleusercontent.com (since pulled offline) to access the OAuth scopes https://mail.google.com and https://www.googleapis.com/auth/contacts. The victim is then redirected to https://googledocs.g-cloud.pro/g.php. This script uses the newly-gained access to send more phishing emails to all your contacts.

What’s going on at that @mailinator.com account?

Malicious Mailinator Inbox

As of 4:18PM EST it looks like Mailinator has intervened and disabled this inbox. While this is a bummer for researchers like myself, it is a relief they have taken the time to prevent further disclosure of emails affected by this phishing attack.

It is worth noting they’ve added the following disclosure to their site, likely in response to the attacker’s use of their service.

Please note: Mailinator is a RECIEVE-ONLY webmail site. It cannot send email (there isn’t even a place to do it on the site). If you received an email “from” @mailinator.com that reply-to was forged. The headers of the email will contain the actual sending system.

Additional domains the attack utilized

The following domains were also utilized in this attack:

googledocs[.]docscloud.download
googledocs[.]docscloud.info
googledocs[.]docscloud.win
googledocs[.]g-cloud.pro
googledocs[.]g-cloud.win
googledocs[.]g-docs.pro
googledocs[.]g-docs.win
googledocs[.]gdocs.download
googledocs[.]gdocs.pro
googledocs[.]gdocs.win

source: https://www.cyberscoop.com/gmail-phishing-attack-oauth/