At the beginning of May, a phishing scam flooded the web, disguised as a typical Google Docs request. Some of the emails even appeared to come from acquaintances. If victims clicked through and granted seemingly innocuous permissions, they exposed their entire Gmail account to whoever was behind the scam. It was an explosive scheme. And Google responded in kind.
“We convened what we call a war room,” says Mark Risher, Google’s director of counter-abuse technology. “Basically we pulled people together in a physical room here in Mountain View, California, and we also had experts from many other offices around the company that quickly came together. Each specialty gets called in.”
Unfortunately, that sort of crisis response is all too common for Google. Its massive user base and footprint on the web make its services and customers prominent targets for every imaginable phishing attack, not to mention all the other manner of hacks and assaults. But phishing presents an especially tricky problem. Campaigns are hard to spot by design, and also evolve rapidly.
“The bad guys try hard, so we are motivated to try even harder,” says Sri Somanchi, a project manager in the Gmail anti-abuse team. “We keep going because we know that any little slip up on our side is going to have a huge cost for users.”
That response can take many forms. And if they’re doing their job right, you barely even notice.
When the Google Docs phish spiked—affecting 0.1 percent of Gmail users, or about 1 million accounts—Google anti-abuse teams started by sharing information, and hammering out shifts across Google offices around the world to ensure 24-hour coverage.
“There’s a team that’s working specifically on Gmail inbounds, they’re trying to make sure that the email messages are not getting spread,” Risher says. “There’s another team that’s working on account abuse patterns, and they’re trying to look at who is using the credentials that have been accessed. There’s a third team that’s looking at the spread of this message.”
Within a few hours, Google had stopped the phishing attempt from spreading further. Within a day, Google rolled out expanded anti-phishing security warnings for Gmail on Android.
That joins a handful of other anti-phishing and threat-warning tools that Google has debuted over the last several years, like the Chrome extension Password Alert, which cautions you if it thinks you just entered your Google username and password into an imposter login page. The company also announced new phishing protections targeted at business users on Wednesday, including warnings when enterprise users attempt to send data outside their company, and additional ransomware protections.