We are used to getting links in our email, and even with new cybersecurity threats coming out every day, we still fall victim to social engineering tricks used by malicious entities. Emails containing links and attachments, especially coming from someone we know still pick our interest and overwrite our sense of self-preservation. Imagine getting an email announcing that a friend of yours had shared a Google Doc with you with a hyperlink to the document that is just at your fingertips.
What may happen next is a nasty phishing attempt through user’s own real Google sign-in screen requesting to “continue to Google Docs” – a malicious 3-rd party app just pretending to be actual Google Docs asking to be granted access to victims’ email and address book. It’s important to remember the real Google Docs doesn’t need permissions. Once malicious access has been granted, the email self-replicates by being sent to all of victim’s contacts.
It is not the first time Google has been used in phishing scams.
Back in 2013 and 2014 a massive phishing wave exploited people’s trust in Google’s brand name by sending out emails prompting users to click on the hyperlink for access to “important” or “confidential” Google Docs file, with Your Documents or Review the Documents in the subject line
Those who clicked on those links were taken to a fake Google sign-in that collected login credentials such as account name and password, to be used further account to send phishing emails to all of the people in the compromised account contact list or to gain access to various related Google accounts (Gmail,YouTube, etc.) and send fraudulent messages on the victim’s behalf.
How is this nasty phishing scam different from others?
This time around the main focus is not on how this scam spreads: there is no malware nor fake websites involved into obtaining users’ login credentials. Instead, it tricked the victim into granting access to a third-party application by working within Google’s system and non-Google web application with an ambiguous name. This is a new spin on phishing and security companies are scrambling to keep it under control
Google reportedly has taken steps to neutralize this particular threat: “[Google] disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again.” In reality, phishing methods constantly evolve and attacks will keep getting even more sophisticated in the future.
What can you do about this particular cyberthreat?
Google supposedly block the attack from spreading now, but there is no report on long term solutions against this kind of fraud.
- Be vigilant and don’t open or click on anything you did not expect to receive, even from those you know. Contact the sender and verify the information they had sent is legitimate before opening.
- Protect your Google Account by reviewing your online security settings. https://myaccount.google.com/secureaccount
- If you had already granted access to a questionable app, you can revoke access through Google’s “Connected Apps and Sites” page. Here is an example for the Google Docs. where it will appear as “Google Docs.”
- Report phishing emails in Gmail to Google:
- On a computer, open Gmail.
- Open the message.
- Next to Reply, click the Down arrow.
- Click Report phishing.
- In addition to taking the steps above, it is important to report online scams. Law enforcement, consumer rights groups, and professional IT consultants like ourselves recommend to file an incident report to the FBI’s IC3 Internet Complaint Center to help authorities investigate and battle these types of scam.