<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1018517621595528&amp;ev=PageView&amp;noscript=1">
Security Alert
Jonathan Crowe
May 2017

Alert: Massive Google Docs Phishing Outbreak — What You Need to Know

Key Details

  • What happened: Wednesday afternoon a massive wave of phishing emails gained access to victim Google accounts and contacts lists
  • Who was affected: A huge swath of Google users ranging from journalists, to universities to state and local governments. Because the phishing email was forwarded to each victim's contacts, it spread like wildfire.
  • What to do: If you suspect your Google account may have been comprised go to https://myaccount.google.com/u/0/permissions to check what apps have authorized access. If you see a "Google Docs" app authorized today, remove it as well as any other apps you dont' recognize.
  • empty
  • empty
  • empty
  • empty
  • empty

A sweeping campaign of phishing emails masquerading as a shared Google doc invite has infected troves of Google users, accessing their contacts lists to spread the attack further.

How many types of ransomware can you currently stop? Find out now with our ransomware risk assessment.
Know your risk

On Wednesday afternoon, the Internet lit up with reports of phishing emails disguised as invites to open a shared document in Google Docs.

In many cases, the email appeared to be sent from someone the recipient actually knew — another victim of the attack who had their account compromised.

Aside from the odd inclusion of an additional recipient "hhhhhhhhhhhhhhhh@mailnator.com" nothing in the email seemed suspicious:

google-docs-phishing-email.png

SANS

Once clicked, the "Open in Docs" link redirected victims to the OAUTH2 service on accounts.google.com and confirmed "Google Docs" wants full access to read, send, delete, and manage email as well as to manage the victim's contacts.

Unfortunately, the "Google Docs" app in this case wasn't the real Google Docs. Due to a lapse in security, an attacker was able to use the "Google Docs" name to make the attack look extremely convincing.

Once granted access, the victims' accounts were compromised and their contacts list used to replicate and spread the attack.

Google responds quickly to block the scam

As word of the attack spread on places like Twitter and Reddit, Google reacted quickly by blocking the app and disabling the fake accounts.

In addition, Gmail began adding alerts to the phishing emails notifying recipients the message "contains content that's typcially used to steal personal information".

google docs alert.jpg

With an unspecified number of Google accounts compromised, however, the fallout from this attack could be far from over. Companies should brace themselves and their employees for additional waves of phishing emails from compromised accounts.

That means making them aware of this threat, showing them how to spot other tell-tale signs of phishing, and having runtime malware defense in place to block any malware subsequent emails drop and they mistakenly execute.

What to do if you think your attack was compromised

If you suspect your Google account may have been comprised go to https://myaccount.google.com/u/0/permissions to check what apps have authorized access.

If you see a "Google Docs" app authorized today, remove it as well as any other apps you don't recognize.

Google also suggests you conduct a security checkup to confirm there hasn't been any suspicious changes or activity by visiting https://myaccount.google.com/secureaccount.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

blocks-attack-grey-circle.svg

Close the gaps in your security

See how Barkly’s Runtime Malware Defense blocks attacks other solutions miss.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends stright to your inbox.