Even the Tech Savvy Users Are Falling for This Sophisticated Google Docs Phishing Scam
An evil and sophisticated phishing worm managed to disguise itself as “Google Docs”, used the official app’s logo and sent emails to a bucket load of people from the email IDs of their friends and colleagues claiming to share a document. The process is straightforward but scary considering how easy it was for someone to dupe you into giving them access to all your emails and contacts.
Google Docs phishing scam made easy thanks to Google’s permission screen that hides developer info
After Microsoft Word, it’s time for Google Docs to contribute to phishing scams. The latest and highly sophisticated scam is tricking people with fake Google Docs invitation links sent from your friends and known contacts, making it difficult to detect any foul play.
We are investigating a phishing email that appears as Google Docs. We encourage you to not click through, & report as phishing within Gmail.
— Gmail (@gmail) May 3, 2017
The phishing scam spread quickly yesterday with attackers sending the targets an emailed invitation from someone they know, taking them to a legitimate Google sign-in screen, and then asking them to “continue to Google Docs”. However, this isn’t the real Google Docs but a malicious version of it which gave permissions to a malicious third-party web app (disguised as Google Docs), giving attackers access to your contacts and emails.
How it works
When you click on the “Open in Docs” button in the email, it asked you to log into Google and then showed the familiar OAuth request screen asking for permissions.
The problem is since the app used the name and logo of Google Docs and then the email was sent from a known contact, it was nearly impossible to see if there was anything wrong with it. Unless you click on that tiny arrow to show the developer details, you won’t get to know this isn’t the official Google Docs app. Here’s a pretty good summary of how this attack works:
Just got this as well. Super sophisticated. pic.twitter.com/l6c1ljSFIX
— Zach Latta (@zachlatta) May 3, 2017
When you authorize this fake Google Docs app, the first thing it does is to send the same email to everyone in your contact list. “I suspect that it was far more successful than whoever released it into the world hoped or expected, and was maybe undone by its own success,” Cooper Quintin, staff technologist at the Electronic Frontier Foundation said. “The domains went down pretty quickly. Google disabled the app, so it is no longer a threat.”
It is unclear who was behind this attack, however, Google has confirmed resolving the issue.
We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.
If you have clicked on any such invitation, Google advises you to visit Security Checkup page to revoke permissions given to any rogue apps. While it may be a good idea to check if you have given permissions to any other unwanted apps in the past, specifically revoke all permissions granted to the app called “Google Docs”.