Should F-S software stop access with Google Docs pishing

martink
martink Posts: 445 Rising Star

Say you get an email with the recent Google Docs pishing attempt.

Which of the F-Secure software should stop you getting there and what would be the message?

TP?

ULAV?

Freedome?

Comments

  • Ukko
    Ukko Posts: 3,739 Superuser

    Hello,

     

    Sorry for my reply.

     

    Just as my suggestion only; I also feel that it will be interesting to talk about this topic and get the official response from F-Secure Teams (or their view about such situations);

     

    Your words was my first experience about "recent Google Docs phishing attempt" - so I searched it with Google and if I normally understood -> this situation looks quite 'oldschool' and classic.

    Also such tricks (practically certainly with that view) was already some time how active and visible as "trouble".

     

    I just not really understand (based on some articles - but I not read it a lot) about certain "usage-design" - except that it was mail-letters with certain link/URL;

     

    So, with such design --> F-Secure's first line should be something as their blogs/research articles:

     

    -> as example, F-Secure Labs: https://labsblog.f-secure.com/

    -> or, F-Secure Safe & Savvy: https://safeandsavvy.f-secure.com/

     

    Not sure, if under this pages was some articles/words/meanings about this certain "recent" phishing attempts. 

    But it can be helpful for F-Secure users and can be kind of "layer": because.. mainly.. against such situations most helpful will be user's careful using services and knowledge about potential troubles.

     

    All other meanings there should be practically about "one design" between TP/ULAV/Freedome;

    And if there phishing letter (which bypass spam-filters) with certain known malicious/suspicious-rated URL --> it should be blocked as harmful/suspicious webpage. With TP it will be block-page; with ULAV blocking access with tray notification; with Freedome kind of blockpage; 

    But it should be with related rating by F-Secure Security Cloud. And I think that it possible, but not sure how often F-Secure able to use design.. when just certain resource/direct URL can be marked with specific rating, but not all domain (and also it should be anyway rated by somewhat steps);

     

    at least, with my opinion - F-Secure design about "phishing pages" : as about "malicious pages" (or potentially malicious / suspicious); So - if it harmful and it known - will be rated and should be blocked (blocking access to webpage as Browsing Protection module, which practically can be with one design between main F-Secure solutions).

     

    If it will be with exploiting-tries or downloading harmful files ---> if it will be possible --> DeepGuard maybe able to detect/determinate this exploit-actions and to trigger some notifications; or network traffic scanning will detect and trigger certain notification; If not (in somewhat reasons) and it was not detected as "potentially suspicious", but anyway "known" for F-Secure as malicious/harmful payload (file) - so it can be detected by real-time scanning or during  launch by DeepGuard.

     

    But if it only exploiting design of web-service (like there was ?! adding certain rights for certain trick application) most likely that F-Secure with missing certain layer (except noted meanings). Or it will be probably with breaking the privacy totally (if there missing partnership integration).

     

    Except point that TP/ULAV/Freedome with missing spam-control module, which most likely not helpful with such attack anyway (because did not cover the web-mail; and mainly it can be not marked as spam - if it not marked by google in somewhat reasons, as example) ---> I not sure if F-Secure software should prevent it by something else, than common protection (as against other threats also). 

    But it will be interesting - if it possible.

     

    What do you think about it? How F-Secure should protect there?

     

    Sorry for my long reply. Smiley SadSmiley SadSmiley Sad

     

    Thanks!

  • martink
    martink Posts: 445 Rising Star

    Thanks Ukko

    With recent I mean that it happened recently not considering whether or not it has happened before.

    Judging by the dates of these articles

    https://www.vox.com/new-money/2017/5/3/15534984/google-docs-phishing-hack

     https://nakedsecurity.sophos.com/2017/05/05/google-phish-thats-a-worm-what-happened-and-what-to-do/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29

    it happened recently.

    As the articles explain

    - you would get an email from somebody you know (or even from who you are expecting an email)

    - the addressee (list) might look OK and

    - the message might look OK though either or both might look fishy if you look at them closely

    - there is a link to Google doc in the email

    - the link takes you to somethere else and there you are asked to give permissions to your contacts and email account

    If you get that far and do that is it, you fell for it.

     

    Glanced quickly through the pages to which you posted links. Did not catch anything about this.

     

    What I should imagine is

    The email should be stopped if you are in a system where there is emailserver protection. Web mail would get to to your inbox.

    In my case it was Gmail so google did not stop that, and Thunderbird. So I take F-S works more on browsers than email clients.

    What should happen if you try open the link ?

    TP, ULAV  and Safe browser if you are using that should block access and say it is harmful.

    If the articles where dated May 3, then the scam already had a reputation by then.

    If you, howver, go past that and get to the page which ask to give permissions I should expect banking

    protection to fire. Well, it is not, but still asking pur sensitive informantion and I've seen banking protection being trigger happy so many times that this kind of thing should be programmable for an alert:

    Alert: Do you realize what the page is asking. Keep you head straight do not give permissions to your personal data or your account.

  • Ukko
    Ukko Posts: 3,739 Superuser

    Hello,

     

    Thanks for your explanation. Yes, I probably normally understood words about "recent" and my words was just about meanings that F-Secure analysts generally was with enough time for thinking about potential protection layers (or improvements for such troubles) before this latest "big trouble-situation" happened;

     

    Also I not sure that Banking Protection designed to do something against such tricks (at least - with current view of this feature).

    And about potential alert - if there Google Service - I not sure if it possible (with valid design and not hooks/hacks) by F-Secure ... to detect when there "build-in web-service's features start to play". More good to expect that service will trigger more visible (critical points) for the user, when it required. And  under some of articles (which I read) was words that Google "prevent" (?! stop) attack after one hour (such as - did something).

     

    Mainly F-Secure able to detect when browser process (as tab/website) trying to launch executable file (or download) or some other suspicious actions with targeting user's system. But when there website and just "features" under website --> looks like that it can be with "protection" just if there total "break privacy" and full access to user's activities/data per each page (or kind of this; if we talk about service owner - where data should be handled by their terms). This is, of course, except meanings that spam-control protection (as you said) should prevent against spam/phishing letters; than browsing protection protect against malicious/fake-tricks/suspicious webpages;

    Maybe it possible to do by some of addon/extension meanings - but not sure that it can be proper step just for one of service (and not sure that there possible to think about all of potential tricks). and maybe required something more powerful.

     

    Anyway - sorry else one time for my reply.

     

    Will be good to read there official words from F-Secure team (and other opinions by community users) about your topic ask!


    Thanks.

     

  • martink
    martink Posts: 445 Rising Star

    Thank you Ukko.

     

    So what I should expect is that

    TP and ULAv should block the site once the pishing attempt has been recognized by F-S and added to the black list.

     

    Malware protection does not stop you from entering personal data or giving access to it.

  • martink
    martink Posts: 445 Rising Star

    So I should expect the blocking occur when I click the URL of the malicious web page,

    But I don*t see that in the TP events

    TP_events.JPG

  • Hi martink,

     

    Based on your screenshot, the events window shows the blocked URL's. If you do not see the blocked URL's in the events (if there is any other URL apart from the ones seen), it's possible that the phishing URL might need detection from us. In such scenario, please submit the URL to our SAS for analysis. If an URL is blocked by Browsing Protection (i.e. a block message is shown in the browser), it also appears in the events.

  • martink
    martink Posts: 445 Rising Star

    Thanks @Laksh
    Did submit the sample.

    It occured on May 3 and on that day there is nothing in the above list of events.

  • martink
    martink Posts: 445 Rising Star

    This is the response I got

     

    Greetings,

    Thank you for your submission.

    It seems that the submitted url is no longer active thus we are unable to verify the issue further. We will continue to monitor the situation for similar activities and will take necessary action to avoid such similar attacks in the future.

    If there is anything else we can help you with, please do not hesitate to contact us again.
    Best regards,
    ********
    Malware Analyst
    F-Secure Security Labs

     

    I also heard from another source that Google had fixed the problem so that the users did not do anything.

     

     

  • Appreciate your update, martink!

This discussion has been closed.
Feedback on New Design