Hey, Do You Know Someone Who Clicked?

Recently, a rash of what appeared to be phishing emails mimicking a request to share a Google Document descended upon our online communities. While the circumstances of this particular email attack remain uncertain, issues of cyber security remain of grave to concern to independent school technology leaders and are at the forefront of our work at ATLIS, most recently in a webinar offered by Jamie Britto and Denise Musselwhite.

As it occurred, an active discussion about the attack sprang up on the ECATD and ISED Listserves, Twitter, and regional discussion groups as members shared their experiences and perspectives, an exchange that serves to highlight the importance of our connections with ATLIS members who are dealing with problems like this in real time. The day after the attack, a New York Times article, “Email Attack Hits Google: What to Do If You Clicked,” offered recommendations for those who fell for the phishing attack and clicked. These included  revoking access (via https://myaccount.google.com/permissions) and changing passwords to one never before used on your account.

A week later, we are wondering, what are the lessons learned from this attack?

What Just Happened?

Many members felt it was important to warn the members of their communities immediately.

They reached out to let colleagues know what was happening and that even their private accounts were vulnerable. Our schools trust us, so even if we managed to skirt the attack, this was an opportunity to remind others about basic phishing precautions. Here is an example of a warning shared by ATLIS member Matt Scully of Providence Day School to members to his school community:

Dear Faculty and Staff,

In the last few minutes we have become aware of a phishing attack targeting Gmail and GApps users. The phony emails claim to be sharing a document with you and may come from someone you know.

At this time, we recommend that users avoid clicking on the links in the email to open new documents shared with them. If users believe that the email & document is real, we suggest that users open Google Drive to open new documents.

This is definitely a better safe than sorry type situation. Please let us know if you have any questions.

Later, Matt updated the community with this message from Google:

Dear G Suite Administrator,

On Wednesday, May 3, we identified, investigated, and resolved an email phishing campaign that affected some accounts in your domain. This issue was addressed within approximately one hour from when Google became aware of it. Please note that we have already taken action to protect all users, and no further action is necessary. To assist you in understanding what happened and better educating your users on email security, we are sharing details on how the campaign worked and how we addressed it. We are also providing a CSV file identifying the users on your domain who were affected.

What happened:

The affected users received an email that appeared to be from a contact offering to share a Google doc. Clicking the link in the attacker's email directed the user to the attacker's application, which falsely claimed to be Google Docs and asked for access to the user's account. If the user authorized the application, it accessed the user's contacts for the purpose of sending the same message to those contacts. This access only retrieved contacts and sent the message onward—customer data such as the contents of emails and documents were not exposed.

Upon detecting this issue, we immediately responded with a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. 

We have taken the following steps to protect your users:

  • Disabled the offending Google Accounts that generated the phishing link

  • Revoked any access that the affected users authorized to the attacker

  • Disabled the malicious projects and apps that sought access 

In addition, Google is taking multiple actions to combat this type of attack in the future such as updating our policies and enforcement on OAuth applications, updating our email filters to help prevent campaigns like this one, and augmenting the monitoring of suspiciously behaving third-party apps that request consent from our users.

As a general precautionary measure, you may choose to take the following actions regularly for your users:

We thank you for your continued business and support. If you have any questions, please let us know by contacting Google Support and referencing the issue number 37950384.


The G Suite Team

Becoming Proactive

We also want to remind our ATLIS community that one of our member benefits is a free phishing assessment from Compass Cyber Security. Bob Olsen of Compass Cyber Security recently wrote about this benefit as part of his reflections on our recent Annual Conference in Los Angeles, California. When one of our members adopted this exercise at his school, over 40% of the teachers clicked on the the phishing prompt. If you have not yet taken advantage of this member benefit of ATLIS, learn more here.

If you would like more information about how to implement Cyber Security at your school, you may want to sign up for our summer workshop led by Jamie Britto and Denise Musselwhite. It will be held in Chicago on July 13-14, and it will help you delve into some of the processes introduced by Jamie and Denise in their earlier webinar. Also, if you believe a similar regional workshop would be beneficial to you and other schools in your area, please let us know.

In Retrospect

A week has passed, and now seems a good time to reflect on the events of last week. How did this event affect your school? What did you do to within your communities -- or not? What were the factors that informed your decisions? What would you do differently? What advice can you give to other member schools?

We encourage you to share how this situation or other phishing scams have affected your school. If you have any tips, please pass them along. (For example, this one came from ECATD graduate Renee Hawkins of Garrison Forest School: Best Password Managers of 2017.)

This is how we learn best from one another. 

Share this post:

Comments on "Hey, Do You Know Someone Who Clicked?"

Comments 0-5 of 0

Please login to comment