A major phishing attack mimicking cloud-based Google Docs software spread across news organizations and other companies yesterday. Gmail users have been reporting massive numbers of fraudulent emails that masquerade as a message from Google Docs. The emails appear as an invitation to join a Google Doc and often claim to be sent by an individual in the user’s address book. However, clicking on the embedded link directs recipients to grant access to a Google Docs app that is actually a program that sends spam to addresses in the recipient’s email.
Journalists at CNN, BuzzFeed, Vice Media, The Washington Post and The Wall Street Journal were targeted, as were employees at a significant number of nonmedia companies, explained Gary Warner, chief threat scientist at PhishMe Inc.
While goals of the scam are not yet clear, Google acted quickly to shut it down and claims that no personal user data beyond contact info was leaked in the phishing attempt.
“We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts,” said a Google spokeswoman, as reported by The Verge. “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again.”
The Wall Street Journal reports that “the use of Google’s Web-app authentication system was unusual and appeared to catch off guard even many users who are wary of email scams. The attack was particularly noteworthy because the perpetrators were able to automatically flood victims’ contacts with malicious messages using a system that seems safer, causing the phishing attacks to spread with unusual rapidity, said Liam O’Murchu, director of security technology and response at antivirus vendor Symantec Inc.”
According to Recode, individuals who received the phishing emails have been sharing screenshots on Twitter suggesting the emails indicate they are sent to the following address:
Google Docs is reportedly still safe to use, since the service itself was not compromised. If you receive an email that matches the description above, it is recommended that you delete it and contact the sender in a separate email. If you receive the email at work, you should contact your technical support team.
“We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems,” wrote Google in a follow-up. “We were able to stop the campaign within approximately one hour.”
“While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.”
For those who are more cautious, Recode recommends the following:
- Go to your Google account management page.
- If you see an app called Google Docs, click on it to opt to revoke permission for the app to access your account.
- Then change your password, just to be safe.
- Enable two-factor authentication on your account as an extra precaution. Two-factor authentication is the option to text a code to a phone number on file for your account so only a person with both your password and your cellphone can access your account.