Yesterday was not a good day for Google. First the Google Drive outage that prevented many Google users from accessing data on the popular file hosting service, and then a new sophisticated phishing that targeted Google users.
Just to refresh your memory on that: Gmail users started to get emails in which they were notified that someone shared a document on Google Docs with them.
The email included just a single sentence that repeated the invitation, and a blue button to open the document in Docs.
Zach Latte posted a gif of the whole process on his Twitter account.
A click on the button loaded the Google Accounts website. Users who use multiple accounts on Google are asked to select one to grant permissions.
A click on the name of the developer, Google Docs, reveals right on that page that something is not right. Instead of setting an official Google email or address there, third-party developer information was listed on the page.
The next page highlights the requested permissions. In this case:
- Read, send, delete, and manage your email
- Manage your contacts
If you hit allow on the page, you give the attacker access to your Gmail email messages, and all of the contacts. The latter will likely result in even more phishing emails being sent out.
The former is highly problematic, especially if you have linked other accounts to the Gmail account email address.
A simple example: if you host a website with domain, and use the Gmail address for the account, the attacker could gain access to the account and transfer the domain to another account.
If the attacker uses filters on Gmail to hide emails from the hosting company, the transfer may not be detected until it is too late.
The main issue with the phishing attack is that the attacker impersonated Google Docs for the attack, something which should have been blocked by Google.
What if you granted the account permissions?
Google has blocked the account in the meantime, removed the fake pages, and pushed updates to Safe Browsing on top of all that.
Google users who gave permissions to the attacker should remove the Google Docs entry from the application permissions page on the Google website. This page highlights all apps that you have granted permissions to.
Google recommends that users run the company's Safety Checkup tool on top of this.
Now You: Would you have detected the phishing attack?