A sophisticated phishing scam, sent through Gmail and mimicking Google Docs, may have stolen information from thousands of Google accounts.
Google was quick to address the problem, but for users who were victimized by the attack, you will need to protect yourself with extra precautions.
Google Docs Phishing Attack: How It Worked
The phishing attacks were initiated through emails that were sent to Gmail users. The emails disguised themselves as invitations to edit a Google Doc, with the message appearing to have come from people stored in your contacts list.
Once users click on the link in the email, they are sent to a Google webpage that seeks permission for Google Docs to gain access to emails and contact lists. If the user grants permission to the app, nothing happens.
Well, nothing happens on the side of the user. The Google Docs app that is seeking permission is actually an app that the attacker wrote. Once users grant permission to the app, the attacker was given access to all their email and contacts. The attacker can then send emails through the email addresses of the victims, and can even delete emails in the inbox.
Cooper Quintin, Electronic Frontier Foundation staff technologist, noted that the attacker would be able to do all those things without needing to acquire the login information of the victims. Quintin said that he received more than 400 emails from victims of the phishing scam over the hour after reports of it were published.
The Google Docs request for permissions looks very much like a legitimate one, which is how it was able to trick users into granting an attacker access to their emails. While traditional phishing attacks launched on Google's services take users to a fake Google page that tries to collect passwords, this new attack works within the confines of the Google system, but takes advantage of the fact that a non-Google app can be given any name that the creator chooses.
What To Do If You're A Victim
Google was able to shut down the phishing campaign by disabling the attacker's account within an hour. However, a significant number of users may have already been victimized within that short period of time.
No specific number has been determined on how many were victimized, but it will not be a surprise if the figure reaches well into the thousands.
For users who fell victim to the phishing scam, you will have to check the permissions that your Google account has granted by visiting your Google account management page. If an app named Google Docs is listed, click on it to revoke its permissions.
As a precaution, affected users should also change the password of their Google account. For additional security, it is highly recommended that victims enable two-factor authentication on their Google accounts so that it can only be accessed by someone who has the legitimate owner's password and mobile phone.
What's The Point Of The Phishing Scam?
Quintin said that the goal of the phishing scam remains unclear. However, British security expert Matt Tait said that the attack is very similar to a campaign launched by Russian hackers last year. The hackers, known as APT28, is one of the two Russian groups who allegedly hacked into the email servers of the Democratic National Committee during the campaign period of the 2016 U.S. presidential election.