The massive phishing attack disguising itself as a Google Docs sharing request is dominating headlines. We’re proud to say that our Sender Rank algorithm detected the attack before the blogs began to roll! Not only that, our unique perspective gives us insight into how successful the attack was. While most reports are looking at the email content itself, our focus is on network traffic, so let’s look there to see the staggering impact of the attack and what Sender Rank looked at to catch it.
Timeframe and Domains
Our data shows the attack was mainly concentrated between 2017-05-03 18:00:00 and 2017-05-03 19:00:00, consisting of the following domains that share the lexical attributes doc and cloud among them:
These domains had another common characteristic: a sharp increase in traffic volume. Further, the volume of traffic for these domains happened as most spam does: i.e. early in the morning and typically blasted. Below is an example (g-docs[.]win) of how the domain is dormant, with little or no query volume, prior to its release:
The phishing email contains an ‘Open in Docs’ button, which when clicked, sends the user to Google’s OAuth page for authentication and to grant permissions to the victim’s account. In the email we looked at, the URL assigned to the button click contained a redirect parameter, which, once allowed or denied at Google’s OAuth page, would redirect the user to an attacker-controlled website. As identified by our Sender Rank algorithm and confirmed in other articles, the domains listed above were found to be used in this attack, and likely the value of this redirect parameter.
The button and the redirect sequence is particularly noteworthy since, in our testing, the user needs to click the ‘Open in Docs’ button, then either click ‘Allow’ or ‘Deny’ on Google’s OAuth page to contact one of these domains. There also were reports of other variants of the phish that just had a link to the attacker-controlled system. Regardless of how many steps it takes for the user to arrive at the attacker-controlled site, the fact that they always need to click something first makes the query volume particularly staggering. For instance, if we just look at four of the ten domains, we see an approximate average of 15,000 queries:
10 domains averaging 15,000 queries might suggest an upwards of 150,000 of our users actually clicked ‘Open in Docs’. Now, it’s hard to say how many users were affected using DNS data alone. Each DNS query does not equate to a single person, compromise, or even system. Nor does a DNS query mean that the system which queried the domain did so as a result of this attack. That being said, even if the actual number was 1/10th of the query count (which, as we’ll show shortly, is more likely the case), it is still staggering to think that many people let their guard down and clicked away.
Like all our models, Sender Rank provides visibility into what makes these attacker domains unique. For example, the queries to the attacker-controlled domains were at the same rate as some of the most popular and trusted sites on the internet: apple.com, travelocity.com, and salesforce.com! The following section will break down some of the behavioral attributes that Sender Rank used to detect these attacker domains.
A unique perspective we have in attacks like this is the ability to identify the behavior patterns within the queries made to the domains in the campaign. One interesting question you might ask is, what other malicious domains were being queried during the same time frame as these? In the following charts, we highlight a few aggregated metrics that give insight into the domains used in this attack.
First, we can see that there were approximately 1,200 machines querying the three domains at the peak of the attack . This gives us a little more clarity to the impact. The interesting thing here is that machine count was sustained for roughly two hours, then saw a rapid decline in the 3rd hour (a 95% decrease on average).
As we alluded to previously, we can also characterize simultaneous queries over the attack time frame. In other words, we can identify if these attacker domains caused additional queries outside of the norm. In the below chart we report the median number of unique queries made in the same hour (we use the median, rather than mean, due to outliers).
We observe about 100 (or so) unique queries were simultaneously made during the time of the attack. This is an interesting comparison to the first chart since here we don’t see a decline in the 3rd hour of the attack.
The Email Server Ripple
Email servers will often use internet-based block list services when evaluating messages for spam and malicious content. Similar to Sender Rank, email block lists have the ability to aggregate and collate the reactions of a horde of mail servers, giving them a perspective that allows them to recognize large broad campaigns.
In the following table, we show the percentage change in the block list volume for the attacker controlled domains .
|Domain||2017-05-03 18:00:00||2017-05-03 19:00:00|
TABLE 1: Percent change from one hour to the next.
To provide additional context, here are a few other domains Sender Rank is tracking (not blocking) with same popularity:
This attack used a common approach to target users accounts in an unsuspecting way and had a staggering impact. We’ll continue to build systems like Sender Rank to quickly detect the next attacks, protect our customers, and keep you informed!