Unshakeable Salt

A big Google Docs WORM and 2 factor authentication bypasses. Wow, what a 24-hour window to be working in Cyber Security!

The best bait for phishing – a Google WORM

The breaking news of the last 24 hours is that the first big WORM of the year has just hit Google Docs. An estimated 1M Google Mail users receiving an email inviting them to click on a link to view a very important document.  Of course, we always train people never to click on unexpected links. This iteration differs by seeming to have some level of intelligence behind it, arriving from people that you have in your address book.

The typical scenario then follows; a standard Google notice that you can’t proceed to the see the document until you grant permissions to ‘Google Docs’. It’s not really Google Docs, but Mr Bad Guy trying to gain access to your life.

Screen shot Google Docs Worm

An example screenshot of the plain text content of one of the phishing emails

It was 2 years ago when I wrote my last blog post about phishing. This attack highlights the same issues still remain with more and more people being affected. 1M people may sound a lot, but remember that is less than 0.1% of the Gmail user base.

Hopefully by the time you are reading this, Google will have amended their codebase and will be preventing people from calling their GoogleApps anything that contains the word ‘Google’.

Is 2 Factor Authentication (2FA) broken then?

Whilst people were reading about Google, they may have missed how Signalling System No 7 (SS7) channel attacks have hit mainstream ‘out in the wild’.

In the UK we use Common Channel Interoffice Signalling 7 (CCIS7). In laymen terms, it is a system that connects one mobile phone network to another. Using it a hacker can essentially have access to the same amount of information and snooping capabilities as security services.

Mr Bad Guy can transparently forward calls and has the ability to record or listen in to them. He can also read SMS messages sent between phones, and track the location of a phone using the same system that the phone networks use to help keep a constant service available and deliver phone calls, texts and data.

Remember all those rants I had about people using ‘2-Step’ authentication and calling it 2FA?  This is the reason why.

2FA is be something you know (a password) and something you have (a security token). The common misconception is that a phone is a security token, which it can be – but not if you are using a phone number as that token.  A phone number is not something you have, it is an address that you are potentially able to receive messages to.  SS7 breaks the securityby allowing for interception and redirection of the 2-step authentication. When the same phone number is also used to authorise a password reset – it really is game over. Mr Bad Guy has the ability to reset your password and doesn’t need the thing that you know.

2 Factor Authentication is not broken. There are too many poor authentication mechanisms implemented by companies that people trust to ‘do’ security for them.


Director of Unshakeable Salt, an Information security specialist who first started contracting in 1997.

Next Post