A widespread phishing scam hit Google Docs users yesterday, making their Gmail accounts and contact lists vulnerable to hackers. A phishing attack usually entails attackers trying to retrieve personal information from users through unscrupulous emails disguised as important messages, attempting to provoke unsuspecting users into freely disclosing their personal information. However, this is not what happened with the Google Docs phishing scam.
The attackers used a more sophisticated approach, creating a non-Google web app, which they cleverly named - Google Docs. They then sent out emails to Gmail users asking them to edit a document on Google Docs, which appeared to have been sent by a known contact. Those who clicked on the Google Docs phishing link, were redirected to a real Google sign-in screen and asked to “continue to Docs.” This, then fooled users to grant access and permissions to the malicious Google Docs web app. Below is a snapshot of the permission screen -
If you read carefully, Google does not ask users for such permissions usually. If you were one who received such an email yesterday, you better change all your passwords immediately and warn people in your contacts list. The attackers apparently sends similar spam emails to contacts of users who clicked on the phishing link. Here are some reactions to the attack on Twitter -
The problem that hackers were able to exploit here is that Google allowed them to create a third-party web app named ‘Google Docs’, and also let them work within Google’s system. Here’s what happens when you check the app title for its developer information -
@verge@backlon@reckless a spammer just used google Oauth API to compromise google accounts while passing the authentication through google pic.twitter.com/ugHnqZ2M6K — Darren McClung (@kcconejito) May 3, 2017
Users who suspect they have been hacked, could go to Google’s Connected Apps and Sites page and revoke permissions granted to the malicious app.
What does Google have to say about all this? Well, the good news is that the company has managed to fix the issue. In a statement to the Verge, Google said, “We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.” The company also Tweeted out the following message -
We are investigating a phishing email that appears as Google Docs. We encourage you to not click through, & report as phishing within Gmail. — Gmail (@gmail) May 3, 2017
We still don’t have any information on how many Gmail accounts were compromised in this phishing scam, although, multiple reports indicate this was a “massive” and “large” attack.