Google Docs phishing scam spreads widely, reportedly shut down quickly

With companies across the U.S. hardening their cybersecurity defenses, scammers are attacking the most vulnerable points: employees.

That phenomenon was showcased May 3 in a widespread phishing attack that saw Google users hit with fake prompts to open a Google Docs document purportedly shared by someone they knew.

“The attack was simple, but sinister,” TechCrunch reported.

“Click the button to open the document, and you’d see a seemingly innocent page — one hosted by Google, no less!

“It wouldn’t ask you for a password, and it already listed all of your accounts. The page was asking you to give a “Google Docs” app permission to read your email and contacts.”

But the app was the work of an imposter — although that wasn’t obvious.

“Even if you were generally dubious of these sorts of things, it checked a lot of the right boxes,” according to TechCrunch.

Here’s what the scam was after: “The process provides the user’s credentials to the attacker, allowing them access to email accounts, social networks like Facebook or other platforms,” USA Today reported.

That access can give attackers data for stealing identities, then plundering bank accounts or committing other financial crimes.

“It’s unclear exactly how the attack works at the moment, but it does appear to be highly sophisticated,” tech website Motherboard reported while the attack was underway.

A number of news media outlets reported their employees were targeted.

“The scope of the attack is not limited to news organizations, but appears to be spreading on a massive scale through people’s contacts,” according to The Atlantic online magazine.

Companies’ confidential information and assets can be vulnerable to phishing attacks, noted Dan Lohrmann, chief security officer at security-awareness training firm Security Mentor.

“The litany of major data breach stories that began with the use of phishing attacks is growing by the month,” Lohrmann said in a statement.

Google, through its Google Docs feed on Twitter, said just after 3 p.m. May 3 that it had “taken action,” removing “offending accounts” and “fake pages,” and was “working to prevent this type of spoofing from happening again.”

The company had tweeted around 1:30 p.m. that it was investigating the phishing scam.

In a statement issued around 7 p.m., Google said it had stopped the attack within about an hour, and that it had affected fewer than one in 1,000 Gmail users.

“While contact information was accessed and used by the campaign, our investigations show that no other data was exposed,” Google said. “There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.”

This type of attack is on the rise, said Nathan Wenzler, chief security strategist at San Francisco security consultancy AsTech.

“As technical controls within many organizations have gotten stronger and automatically respond more quickly to detected threats, hackers are using attacks such as ransomware and honed spearphishing campaigns to go after the weakest link: people,” Wenzler said in a statement.

“This particular phishing attack is especially nefarious, since it leverages some legitimate functionality within Google’s infrastructure.”

Google took blame in various degrees from a number of different directions.

“Google seems to be letting these through their normal spam filter and they are bypassing many protections, ending up in the primary mailboxes,” Lohrmann said while the attack was occurring.

Tech website The Verge charged that the “attackers took advantage of a weakness, that may or may not have existed for some time, in Google’s system that allowed developers to create a non-Google web app with the ‘Google Docs’ name.”

Google did not immediately respond to a request to comment on how it stopped the attack and whether it was to blame for any security holes or lapses.

Cybersecurity firm Dashlane has provided an online guide to avoiding phishing scams.


Photo: A man walks past a building on the Google campus in Mountain View in 2015. (AP Photo/Jeff Chiu)


Tags: , , , , ,


Share this Post

  • Hunter

    Well theres 1 billion active gmail users so 1 out of 1000 affected users is a million? Check my math…