This article was published on May 3, 2017

Massive Google Docs phishing attack swept the internet today [Updated]


Massive Google Docs phishing attack swept the internet today [Updated]

If you just received an unexpected email in which someone you know is sharing a Google Doc with you, do not open it.

There is currently a rather massive phishing attack making its way through the internet. It’s pretty sophisticated, and very easy to fall for. To summarize a reddit post by JakeSteam, it basically works like this:

  1. As seen in the image above, you receive a simple email saying a Google Doc has been shared with you, likely from someone in your contact list.
  2. When you click on the button, you are taken to a real Google account selection screen (or at least it does if you have multiple accounts open).
  3. Select the account you want to use, an what appears to be “Google Docs” asks for several permissions to access your account. This is not the real Google Docs; the real one doesn’t need to ask for any permissions. But if you didn’t know this, it looks authentic enough other than all the permissions it requires.
  4. It then self-replicates by sending itself to all your own contacts.

Credit: JakeSteam on Reddit

The attack bypasses two-factor authentication and login alerts. Because you gave the imposter Google Docs full access to your email, it’s possible the attacker could extract any information stored in your messages. It could also be used to access your passwords for other services by sending password reset emails. Be sure to read the Reddit post for more.

If you’ve been affected, revoke access to the fake “Google Docs.” Make sure to send a follow-up email to your contacts if you see spam emails in your send folder. Also be sure to let whoever sent you the email know that their account has been compromised.

As of publishing, it seems the link has been disabled by Google, but not before it having spread to hundreds or thousands. We’ve contacted the company for more information on the attack and will update this post when we hear back.

Update: Google confirmed on Reddit it has blocked the phishing attack by disabling the fake app’s ID, but it’s not clear if the company has implemented any long term solutions against this kind of scam. So just be alert should a similar attack resurface, and as always, don’t open links you weren’t expecting to receive without being absolutely sure they are legit.

Update 2: Google has responded with an official statement (links are Google’s):

We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.

Update 3: A Google spokesperson shared the following statement with TNW, noting that 0.1 percent of Gmail users were affected. That’s roughly 1 million users, though:

We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1 percent of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with