A massive phishing scam hit Google account holders on Wednesday (3 May). The first wave of attacks reportedly hit journalists, businesses and universities before spreading to other users. The attack saw victims receive an email claiming to be from a friend or someone they know, which came with a malicious Google Docs attachment. When clicked on, the link redirected victims to a fake Google Docs page, which was designed to hijack accounts.
The fake Google page requested users to give it permission to access shared documents. However, in reality, the fake malicious app sought access to the victim's Gmail inbox and contacts list. Motherboard reported that the fake app came with self-propagating capabilities and automatically sent out more emails to other users. The self-propagating feature ensured that the attacks spread like wildfire in a very short time.
Reports indicated that the attack, which was first reported in a Reddit thread, was highly sophisticated. The fake Google docs app had been designed to accurately replicate an authentic one. ArsTechnica reported that the only way to figure out that the email was part of a scam campaign was to click on the down arrow next to the Google docs name. Clicking on this revealed that the developer was not Google but a random individual using the email "firstname.lastname@example.org."
Motherboard reported that Google Drive was also down at the time of the attacks. However, it is unclear if the outage was related to the attack in any way.
"We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts," Google said in a statement. "We've removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again."
How to stay safe?
In case you already clicked on the malicious link, fret not, there is a way to fix the issue. Go to the permissions page in your Google account and revoke access to Google Docs by locating the fake Google Docs app. The fake app should have a recent "Authorisation Time". Click on the app and then click on "Remove." This process ensures that infected victims can manually remove the malicious app.
"The importance of this phish is not how it spread, but rather how it didn't use malware or fake websites tricking users to give up their passwords," Aaron Higbee, chief technology officer at the phishing research and defense company PhishMe, which analyzed data from the fake Google Docs campaign, told Wired. "This phish worked because it tricked the user into granting permissions to a third-party application. This is the future of phishing, and every security technology vendor is ill-equipped to deal with it."
Higbee's comments highlight that it is more important than ever for users to be aware of emerging cyberthreats and to incorporate safe security practices when dealing with emails. It also becomes highly imperative for users to know how to spot fake emails. For a quick, comprehensive guide on how to identify fake emails and stay safe from phishing campaigns, click here.