Google Docs users hit by phishing attack

The attack was disguised as a Google Doc but was, in fact, a third-party app

4 May 2017

.polaris__post-meta--date { display: none; } .polaris__post-meta--date.no-script { display: block; padding-left: 45px } 4 May 2017

Gmail and YouTube icons on a smartphone screen

Google Docs users were hit yesterday by a phishing attack which lets an attacker obtain contact lists and access Gmail accounts to spread spam messages on a large scale.

Reddit user JakeSteam detailed the process and wrote that the attack was disguised as an email from a person on a user's contact list, which invited them to edit a file in Google Docs. But clicking on the link wouldn't take users to a Google Doc. Instead, it would give a third-party app access to the user's emails and potentially perform a password reset too.

It would then replicate itself by sending emails to the user's contacts. It's also particularly dangerous as it bypasses any 2-factor authentication the user has set up.

Clicking on "Open in Docs" takes users to a new page and prompts them to sign in to continue to "Google Docs". By clicking on its name in "to continue to Google Docs" users were able to detect that it wasn't a genuine Google Doc. It then asked for permission to read, send, delete and manage users' email as well as managing their contacts. You can see this in the gif below:

Just got this as well. Super sophisticated. pic.twitter.com/l6c1ljSFIX
— zach latta (@zachlatta) May 3, 2017

Google responded to the scam within an hour of it launching and manage to stop it before it got out of hand.

"We realise people are concerned about their Google accounts, and we're now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users," a Google spokesperson told IT Pro.

They continued: "We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour.

"While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There's no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup."

Featured Resources

ZTNA vs on-premises VPN

How ZTNA wins the network security game

.imgHideOnJavaScriptDisabled_https://media.itpro.co.uk//image/upload/f_auto,t_resource-card-mobile@1/v1677770574/itpro/Whitepaper%20covers/ZTNA_vs_on-premises_VPN_thumb.png { display: none !important; }

Free Download

The global use of collaboration solutions in hybrid working environments

How companies manage security risks

.imgHideOnJavaScriptDisabled_https://media.itpro.co.uk//image/upload/f_auto,t_resource-card-mobile@1/v1678354062/itpro/Whitepaper%20covers/Global_use_Thumbnail.png { display: none !important; }

Free Download

How to build a cyber-resilient business ready to innovate and thrive

Outperform your peers in your successful business outcomes

.imgHideOnJavaScriptDisabled_https://media.itpro.co.uk//image/upload/f_auto,t_resource-card-mobile@1/v1677588893/itpro/Whitepaper%20covers/how_to_build_wp_thum.jpg { display: none !important; }

Free Download

Accelerating your IT transformation

How Cloudflare is innovating for CIOs to start 2023

.imgHideOnJavaScriptDisabled_https://media.itpro.co.uk//image/upload/f_auto,t_resource-card-mobile@1/v1676482953/itpro/Whitepaper%20covers/Accelerating_your_IT_Transformation.png { display: none !important; }

Watch now