In order to prevent further e-fishing attacks (Phishing) to Gmail users, Google says it will strengthen enforcement of the OAuth system it uses to connect third-party apps to Google accounts.
Google explains in more detail how it plans to tackle abuse of its systems to spread phishing emails after last week's phishing attackteams with an application that was supposed to be Google Docs.
The fake Google Docs app used Google's OAuth technology to request access to the targets' Gmail accounts. If users granted access to the app, the same phishing email was sent to all of the victim's contacts.
It is worth mentioning that this news has been released for a week now with titles that make the Greek online community and especially novice users think that Gmail shares viruses and other "devilish" things "that damage computers"…
This is not the first time invaders have used Google's OAuth for phishing.
The so-called Fancy Bear hackers have used the same technique in the US and now in the French elections. As one expert points out security, Google could have prevented these phishing attempts with a more detailed audit of developers signing up to use the OAuth mechanism.
Chet Wisniewski, lead researcher at security firm Sophos, says the fake Docs phishing attack "is no different than the abuse of the Google Play Store by malware developers." Only instead of uploading a malicious application to Google Play, the user receives an email from Google and authorizes an application through the company's OAuth.
Google already has several mechanisms to combat this type attacks "phishing", such as the machine learning spam detection and detection mechanism, the Safe Browsing system and also the virus check in attachments.
However, the company said it would update its policies on applications using OAuth.
