TrendMicro has revealed a new method used by Russian hackers to trick individuals into giving hackers the access to their Google accounts. The Russian hacking group named Fancy Bear, also known as Pawn Storm, tricks users not by giving up passwords but rather by abusing the access tokens of OAuth, the token-based authorization and authentication standard used by Google, Facebook, Yahoo, and other websites. This new development in the world of cyber-crime is very worrisome, according to antivirus and security company TrendMicro, as it is able to circumvent Google's usually very secure 2-step verification. TrendMicro fears that even highly educated individuals can be tricked in the relatively advanced social engineering scheme developed by the Russian hackers.
TrendMicro has detailed on its blog how hackers can abuse OAuth to gain access to the accounts of unsuspecting individuals. The hackers first developed an application that it would use for phishing, which Fancy Bear named as "Google Defender", then had the rogue app approved by the OAuth after going through basic security checks. Afterward, the hackers will email its targets with a fraudulent email, stating that Google detected unauthorized sign-in attempts of the target's Google account and in turn urges the target to use their rogue app "Google Defender" to improve the account's security. Once the user authorizes the rogue app, the hackers will then have access to the email account of the target user. Fancy Bear also takes advantage of the fact that the authorization of the rogue application is done in a legitimate Google website, leading more users to think that the "Google Defender" is a legitimate application from the search giant.
In addition to Google accounts, Fancy Bear also targeted Yahoo email accounts of certain high-profile targets with rogue applications like McAfee Email Protection. Changing passwords are not enough to revoke the rogue application's access to the app, so the users are advised to check for the applications that have access to the account and manually revoke the access of any suspicious apps. Aside from the Google Defender and McAfee Email Protection, other apps Fancy Bear used in its hacking attempts, according to TrendMicro, are Google Email Protection, Google Scanner, and Delivery Service, with the latter specific to Yahoo e-mail accounts. While it may take some time for the targeted users to revoke the access of suspicious apps, Google has stated that it is already taking steps to reduce the impact of the rogue apps, with the search giant reviewing the rogue apps and taking them down if the apps are found to violate Google's User Data Policy. Google also reminded users to only download apps from the Google Play Store or the Apple App store and only use legitimate applications from the search giant.