A large-scale phishing attack has hit thousands of Google account holders overnight, arriving in the form of a seemingly harmless Google Docs share request.
The attack was uncovered on Reddit, and the Verge reports the malicious email pops up from a known contact on users’ Gmail accounts, appearing as a legitimate request to share the contents of a Google Doc.
Upon clicking on the “Open in Docs” link, users are then redirected to a legitimate Google sign-in page, asking them to pick an account to sign-in to “Google Docs”.
Upon clicking an account, users are asked to give permission for “Google Docs” access their Gmail account, including permissions to read, send, and delete emails. This action also gives permission to view all contacts.
The “Google Docs” in question is, in fact, a malicious third party web app not produced by Google, masquerading as Google’s official Docs package. Google account holders have access to the Docs package by default and are not required to install it as a web app.
If users then approve the web app’s access, the app is given full access to their email account, which is then used to send the malicious phishing email on to all contacts associated with the account.
Third-party web apps a significant risk
Known commonly as a “worm attack”, cyber security expert at Sense of Security Michael McKinnon tells SmartCompany these attacks thrive off the “six degrees of separation” of users.
“We’ve seen these attacks before, but the prevalence of this one makes it unique,” McKinnon says.
“You might receive it from a friend of a friend of a friend who received it from someone else, and eventually it comes back to you.”
Third-party web apps have always posed a risk, says McKinnon, including ones on social media platforms like Facebook and Twitter, which can post content to users’ feeds without consent. He warns SME owners should only approve third-party apps only when they need to.
“Connecting third-party apps and devices to your accounts is something you really only should do on a needs basis, but obviously in this situation, people have been tricked into doing that,” he says.
Common advice for securing accounts is often to enable two-factor authentication (2FA), requiring users to certify logins with personal codes sent to their mobiles or separate email accounts. However, in this situation, 2FA “makes no difference”, warns McKinnon.
“In this situation, users were already safely logged in to their Google account and the app was just asking for permissions access. 2FA would have made no difference,” he says.
What to do if you’re affected
Google has been quick to respond to the threat, with The Verge reporting the company has disabled the malicious application and prevented the fraudulent emails from being sent.
“We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts,” Google told SmartCompany in a statement.
“We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”
If users believe they have been affected by the phishing attack they should check all messages sent by the affected email account, and revoke the app’s access through your Google Account’s Connected Apps dashboard.
Giving any app access to your personal email account is an “enormous risk” warns McKinnon, as it can be a primary location for fraudulent activity.
“Your email account is the centrepiece of your online identity. It allows you to recover access to forgotten passwords, and in some cases, emails have been used for financial fraud,” he says.
“If your email account was ever compromised and emails deleted, Google does provide a service where permanently deleted emails can be recovered after 30 days.”