a Google Doc link in your inbox today , scrutinize it carefully before you click—even if it looks likeAttack.Phishingit comes fromAttack.Phishingsomeone you trust . A nasty phishing scamAttack.Phishingthat impersonatesAttack.Phishinga Google Docs request has swept the internet today , including a decent chunk of media companies . You 've heard `` think before you click '' a million times , but it really could save you from a whole lot of hassle . Google has taken steps to neutralize this particular phishAttack.Phishing. The company said in a statement that it has `` disabled offending accounts . We ’ ve removed the fake pages , pushedVulnerability-related.PatchVulnerabilityupdates through Safe Browsing , and our abuse team is working to prevent this kind of spoofingAttack.Phishingfrom happening again . '' But when it comes to phishing defenseAttack.Phishingthere 's always an element of cat and mouse . Large-scale phishing attacksAttack.Phishingand those impersonatingAttack.Phishingpopular services like Google log-in pages regularly stalk the internet . `` The importance of this phishAttack.Phishingis not how it spread , but rather how it didn ’ t use malware or fake websites trickingAttack.Phishingusers to give up their passwords , '' says Aaron Higbee , chief technology officer at the phishing research and defense company PhishMe , which analyzed data from the fake Google Docs campaign. `` This phishAttack.Phishingworked because it trickedAttack.Phishingthe user into granting permissions to a third-party application . This is the future of phishingAttack.Phishing, and every security technology vendor is ill-equipped to deal with it . '' Similar Google Docs scamsAttack.Phishingin particular have been circulatingAttack.Phishingsince at least 2014 , but that does n't make them any easier to spot , in part because they seem so authentic . Phishers can use real Google accounts and develop third-party plugins that can interact with Google services , so they can lureAttack.Phishingvictims in through the most perfect-looking Google web pages of all : Genuine ones .
I recently had a client getAttack.Phishingan interesting phishing message . They had receivedAttack.Phishinga fake message from their CEO to their Controller - a `` start the conversation '' email to end up with a wire transfer . This sort of email is not common , but is frequent enough in Sr Management circles , especially if you are in the middle of merger or acquisition discussions with another company . Some technical warning signs in that note were : So the discussion quickly moved from `` I 'm glad our execs came to us , we really dodged a bullet there '' to `` just how did this get in the door past our spam filter anyway ? '' Their SPAM filter does use the SPF ( Sender Policy Framework ) DNS TXT record , and a quick check on the SPF indicated that things looked in order there . However , after a second look , the problem jumped right out . A properly formed SPF will end with a `` - '' , which essentially means `` mail senders in this SPF record are valid for this domain , and no others '' . However , their SPF had a typo - their record ended in a `` ~ '' instead . What the tilde character means to this spam filter is `` the mail senders in this SPF record are valid for this domain , but YOLO , so is any other mail sender '' . From the RFC ( RFC7208 ) , the ~ means `` softfail '' , `` A `` softfail '' result is a weak statement by the publishing ADMD that the host is probably not authorized '' . More detail appears later in the RFC : `` A `` softfail '' result ought to be treated as somewhere between `` fail '' and `` neutral '' / '' none '' . The ADMD believes the host is not authorized but is not willing to make a strong policy statement . Receiving software SHOULD NOT reject the message based solely on this result , but MAY subject the message to closer scrutiny than normal. `` This same reasoning applies to the ~all and -all directives in the SPF ( which I see more often ) . You 'd think that a lot has changed since 2006 ( the date of the original SPF spec , RFC4408 ) , that in 2017 a spam filter should fail on that result , but apparently not ( sad panda ) . Kinda makes you wonder what the actual use case is for that tilde character in the definition - I ca n't think of a good reason to list permitted mail senders , then allow any and every other server too . That being said , their filter * should * still have caught the mismatch between the `` from '' and `` reply-to '' fields , especially since it involved an external source and internal domains . Or at least paired that up with the domain mismatch to weight this email towards a SPAM decision . Long story short - this type of attack was pretty popular ( and widely reported ) about a year ago , but successful methods never ( never ever ) go away . A little bit of research can make for a really well-formed phish , right down to using the right people in the conversation , good grammar , and phrasing appropriate to the people involved . So a bit of homework can get an attacker a really nice payday , especially if their campaign targets a few hundred companies at a time ( and they put more work into their email than the example above ) So in this case , a typo in a DNS record could have cost millions of dollars . Good security training for the end users and vigilant people made all the difference - a phone call to confirm is a `` must-do '' step before doing something irrevocable like a wire transfer