Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
  HOME     MENU     SEARCH     NEWSLETTER    
THE ENTERPRISE SECURITY SUPERSITE. UPDATED 11 MINUTES AGO.
You are here: Home / Network Security / Google Ups Phishing Scam Protection
Google Beefs Up Protection against Phishing Scams
Google Beefs Up Protection against Phishing Scams
By Shirley Siluk / Enterprise Security Today Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
JULY
19
2017
Since a phishing scam perpetrated in May that may have targeted millions of Gmail and Google Docs users, Google has introduced a number of security changes aimed at preventing a repeat.

Announced yesterday, one of the latest updates will pop up an "unverified app" warning when user systems attempt to access new apps or Google Apps Scripts that haven't yet been reviewed by Google. The warning will give users the option to either cancel their actions or proceed by acknowledging they are familiar with the developers of the apps.

By allowing users to launch app actions anyway, the new warning system will also help developers test their applications before they've completed Google's verification process.

Google continues to make such security tweaks to prevent a repeat of this spring's Google Docs phishing scam. The scam sent users what appeared to be a legitimate message from one of their Gmail contacts, but then linked to an unverified third-party app rather than to Google Docs.

'Bolder Warnings'

"Over the past few months, we've required that some new Web applications go through a verification process prior to launch based upon a dynamic risk assessment," Identity team member Naveen Agarwal and G Suite developer advocate Wesley Chun wrote in a blog post yesterday. "Today, we're expanding upon that foundation, and introducing additional protections: bolder warnings to inform users about newly created web apps and Apps Scripts that are pending verification."

Agarwal and Chun added that Google plans to expand its apps verification process over the coming months, and to extend the pop-up warnings to existing apps as well.

The "unverified app" warning will also show up before an Apps Script that hasn't yet been reviewed by Google is allowed to launch. Developers use Google's Apps Script language to automate tasks that connect Google products to third-party services and apps. For example, those tasks can include the launching of OAuth, which is the Open Authorization standard that lets online users access third-party services without having to re-enter their account passwords.

May's Google Docs phishing scam presented users with a legitimate OAuth permissions page, but did not enable access to Google Docs but rather to a suspicious third-party app with the same name.

App Market Keeps Growing -- So Do Email Attacks

As of last month, some 54.3 percent of all emails were spam, according to a recent online security update from Symantec. And in its Q1 2017 Quarterly Threat Report, the security firm Proofpoint reported a rising use of malicious links rather than malicious attachments in targeted email attacks.

The app market, meanwhile, is also expanding rapidly. Last year, app downloads from Google Play for Android and from Apple's iOS App Store shot past 90 billion, according to the 2016 Retrospective from the application-focused analyst App Annie.

Google said it plans to expand efforts to protect users from phishing and other malicious attacks by rolling out verification requirements for existing apps over the coming months. Agarwal and Chun noted that developers could help prepare for that by ensuring that their contact information and OAuth consent screen configurations are up to date.

After May's phishing attack, Google also added OAuth apps whitelisting for enterprise users of its G Suite productivity tools. The new whitelisting lets system administrators specify which third-party apps are allowed to access their organizations' user data.

Image credit: iStock.

Tell Us What You Think
Comment:

Name:

Galit:
Posted: 2017-07-20 @ 12:00am PT
You can avoid falling victim to phishing scams if you install the ScamBlockPlus Chrome extension.

Like Us on FacebookFollow Us on Twitter
MORE IN NETWORK SECURITY
ENTERPRISE SECURITY TODAY
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.