Fell Prey to Google Docs phishing scam? Do this
Yesterday was not a good day for Google. First the Google Drive outage that prevented many Google users from accessing data on the popular file hosting service, and then a new sophisticated phishing that targeted Google users.
Just to refresh your memory on that: Gmail users started to get emails in which they were notified that someone shared a document on Google Docs with them.
The email included just a single sentence that repeated the invitation, and a blue button to open the document in Docs.
Zach Latte posted a gif of the whole process on his Twitter account.
A click on the button loaded the Google Accounts website. Users who use multiple accounts on Google are asked to select one to grant permissions.
A click on the name of the developer, Google Docs, reveals right on that page that something is not right. Instead of setting an official Google email or address there, third-party developer information was listed on the page.
The next page highlights the requested permissions. In this case:
- Read, send, delete, and manage your email
- Manage your contacts
If you hit allow on the page, you give the attacker access to your Gmail email messages, and all of the contacts. The latter will likely result in even more phishing emails being sent out.
The former is highly problematic, especially if you have linked other accounts to the Gmail account email address.
A simple example: if you host a website with domain, and use the Gmail address for the account, the attacker could gain access to the account and transfer the domain to another account.
If the attacker uses filters on Gmail to hide emails from the hosting company, the transfer may not be detected until it is too late.
The main issue with the phishing attack is that the attacker impersonated Google Docs for the attack, something which should have been blocked by Google.
What if you granted the account permissions?
Google has blocked the account in the meantime, removed the fake pages, and pushed updates to Safe Browsing on top of all that.
Google users who gave permissions to the attacker should remove the Google Docs entry from the application permissions page on the Google website. This page highlights all apps that you have granted permissions to.
Google recommends that users run the company's Safety Checkup tool on top of this.
Now You: Would you have detected the phishing attack?
So, if I get this right :
> The fooled party did not even have to type his password to let the hack proceed ;
> Google, which is supposed to be one of the best performers in security, let this happen.
Scary… Also, clever psychological assessment by the hacker, who massively targeted journalists ; a population which probably tends, by trade, to happily click away on many incoming emails…
No, not spitefulness. But what just happened w/Google is one of the major drawbacks of being in the cloud and one of the reasons why I personally stay away from it. Yes, please save your comments about how it could happen without being in the cloud. But by just eliminating this damn stupid thing it saved me a lot of headache and that’s all that counts for me.
Agreed. When I read this article it was like I was reading about the problems of the inner circle. I pay for a private email service now because of the lack of privacy and the data mining shown when Yahoo decided to suddenly and conveniently make a friends list for me a few years back.
These kinds of scams shouldn’t work, yet there are always people dumb enough to fall into the trap. Why would someone click on a link from an unknown sender? And having clicked on that link, why would someone then choose to grant this unknown sender permissions? Like… what on earth is going through the user’s mind? To be honest, if you are making these kinds of mistakes, part of me thinks that you deserve what you get (but no, I don’t really believe that).
“Would you have detected the phishing attack?”
=========
Yes and I did. Received one of these emails. Was not expecting any document to be sent to me, so that was an immediate red flag. Looked closer and it was obviously a garbage email.
Same story here. The address line was a giveaway.