Recently we have seen heavy phishing and spam attacks. Spam is considered annoying and is mostly harmless, while phishing may be more of a potential threat since the offender is trying to gain access to user account information (phishing for information). There are a few similar attacks we are seeing amongst our customers, the most common being an email message with a link to a Google Doc. This link prompts users to enter their username and password in a new tab, which gives offenders access to their accounts. Most users fall into this trap because they’ve had to log into another Google service in the past in a new tab due to a browser timeout or a security trigger in the browser, whatever the case may be. The phishing message wants you to do the exact same familiar action, and since the behavior is not foreign to your end users, I can hardly blame them for falling victim.
Do the emails below look familiar?
subject: eFax Corporate
subject: Important Document
If so, then you are not alone and should be interested in this post. We will review the prevention of spam and phishing attacks, as well as corrective action. But wait, why is spam even possible?
Why is Spam possible?
The details of the answer are very complex, having to do with SMTP protocol and the rules allowed for sending email over the internet, specifically RFC protocols 2821 and 2822.
Feel free to take a look at the links above if you would like to dig deeper. To explain simply, the rules to send email allow me to send a message from your address. Pretty wild, huh? Now let’s get to the prevention and corrective action portion so we can keep it safe out there.
Prevention and Corrective Action is our focus in this blog post about spam and phishing attacks in Gmail. It is important to know what corrective action to take when you think an account has been compromised, both as a Gmail user and as the Google Apps Administrator. Before any incidents occur, however, Administrators should take advantage of the security features available in Google Apps. These measures will keep your domain secure and information protected.
PREVENTION:
2-Factor Authentication
We recommend enabling 2-factor authentication (2FA). 2-factor authentication is enforcing an extra layer of security for your users’ accounts. Upon sign in, 2FA will require users to enter their username, password and a unique code that is sent to them via text, voice call or the Google Authenticator app that rests on your mobile device. The latter is very convenient and the most commonly used method of verification, as the app does not require internet connectivity nor does it draw much power from the battery.
Our 2-Step Verification for Google Apps post is one of the most popular we’ve published. It does a great job of bringing Administrators up to speed on 2FA. 2FA Enrollment Reporting is a nice tool to complement the security feature, allowing Administrators to monitor adoption.
DNS Records (SPF – DKIM – DMARC)
Each DNS record plays an important role in a health DNS file. Included below are brief descriptions of the records and guidelines for implementation.
Understand SPF Records – SPF records essentially identifies all IP’s your domain is allowed to send from. All other IP’s are considered suspect (by the recipient’s server and/or spam filters). Administrators need to identify all IP’s sending on behalf of their domain. Included in this list is obviously Google, but also devices like IIS servers, SMTP relays, fax to email devices, web servers and even marketing email servers like Constant Contact. Again, any IP sending on behalf of your domain should be included.
Authenticating with DKIM – Digital signature (encrypted) is added to the header of your users’ sent messages. These signatures are decrypted by the recipient servers after authentication.
Understand DMARC – DMARC standard allows you to decide how Gmail treats unauthenticated emails coming from your domain. This is done by publishing a policy governing how DMARC email providers should handle unauthenticated messages sent from their domain.
Administrative Alerts (Dito Blog)
Your team could also take advantage of the Administrative Alerts, one of which is “Suspicious Login Activity.” (screenshot). This alert will give your team notice whenever the activity takes place, in this case, “Suspicious Login Activity.”
Gmail Security Checklist
As an additional preventative measure, you’ll want to empower your users by providing them with the Gmail Security Checklist.
CORRECTIVE ACTION:
Scenario 1: You are the Google Apps Admin for your organization, and one of your users forgot to sign out of his account after accessing Gmail on a public computer.
Changing the password on the account is first and foremost. Make sure the password is very strong (password strength indicator should be Green). You will then want to sign the user out of all sessions by resetting the sign-in cookies. This option is located in the user’s profile in the Google Admin console.
Users also have the option to log out of all sessions by using the “Last login activity” option described later in this post.
Administrators can review any messages that were sent from the users account by utilizing Google Apps Log Search, located in Reports. These logs are roughly 30 minutes delayed.
Scenario 2: You fell victim to a phishing scam, and someone hijacked your Gmail password.
First, change your password and contact your Administrator by any means possible.
Next, log out of all other sessions by selecting the “Details” link in the lower right-hand corner of your Gmail inbox. (Last Login Information)
The “Last Account Activity” window will display recent and concurrent activity on your Gmail account, so you can find out if anyone besides yourself has signed in to your account. The recent activity feature includes the following details:
-
Access Type (e.g. browser, mobile, POP3)
-
Location (i.e. the IP Address that accessed your account)
-
Date and Time
Click on the “Sign out all other sessions” button.
Once you have signed out of all sessions, you can feel free to proceed with activities as normal but be sure to have contacted your administrator as we highlighted above in step 1.
Hopefully we’ve provided you with helpful information on why Spam and Phishing are possible and highlighted the basics of prevention and corrective action for Google Apps. We are interested in hearing your feedback, whether it is just letting us know if you’ve experienced these types of attacks, have any questions, or want to add additional information to the conversation. Feel free to add your comments or questions below.