Nearly one million users were affected by the recent Google Docs Phishing scam.
Following the Google Docs Phishing Scam on March 3rd, Google has confirmed that it has taken action to prevent further attacks by disabling fake accounts and removing fake pages. Google has also confirmed that it stopped the Google Docs Phishing scam within one hour and only 0.1% of Gmail users were affected. They are also rolling out a Gmail update to help prevent future scams.
The Phishing scam targeted Gmail users through a legitimate looking email that appeared to be from a trusted source – with a subject line stating the contact had ‘shared a document on Google docs with you.’ The email contained an ‘Open in Docs’ link that appeared to be a genuine invitation from a contact to edit an innocent looking Google Doc.
Upon clicking the link, users were taken to a Google web page and then asked to log in with their credentials. This request looked completely genuine, but users were unaware that by clicking on the ‘allow’ link, they were giving hackers access to their emails and contact information. To make matters worse, the malware contained within the email sent itself out through all of the users email contacts.
A statement from Google reads:
“We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.”
A further Tweet from Google states:
Many sharp eyed recipients took to social media after noticing the email had been sent to the following fake email address in the main recipient field – firstname.lastname@example.org. The actual recipients email address was in the BCC field.
What was the purpose of this attack?
According to Talo Intelligence “The goal of this attack is likely two-fold. This instance acted as potential proof-of-concept for a convincing Google phish via OAuth. Second, and more concerning, this attack allowed the OAuth owner access to all of the email content and contact information for every compromised victim of the attack.
This means that the attacker potentially has access to all of the information within your account and the ability to read, send, delete and manage the email and contacts of the associated account. Additionally, since OAuth was used, the typical protections like changing passwords has no immediate impact on the adversaries’ access”.
You’ll find a much more technical breakdown of the attack on their website.
What action do you need to take?
Google confirmed that it has ‘disabled’ the malicious accounts and is pushing updates out to all of its users. Google has also advised that Gmail users don’t need to take any further action to protect their account.
Following a Gmail for Android app update, Google will now display a warning message if it suspects the site you are being directed to is a phishing website.
It’s important to be vigilant.
After an incident like this, it’s always wise to visit the Google security checkup page and check your account permissions. (If you notice any apps that that you don’t recognise or look suspicious then it’s wise to revoke their permissions.) You may also wish to consider changing your password!
We’ll improve and maintain your Business Network Security.
Our IT Department offers professional support and advisory services to organisations across London and the East of England that need assistance with their network security requirements. Our professional consultants will identify, recommend and source the best network security solutions for your business. We also provide fully managed services to organisations that wish to fully outsource their network security requirements.
Visit our Network Security Services overview page to find out more, or complete the form below to contact us with any questions you have.