We are used to getting links in our emails, and even with new cybersecurity threats coming out every day, we still fall victim to social engineering tricks used by malicious entities. Emails containing links and attachments, especially coming from someone we know still pick our interest and overwrite our sense of self-preservation. Imagine getting an email announcing that a friend of yours had shared a Google Doc with you with a hyperlink to the resource or a document that is just at your fingertips.
What may happen next is a nasty phishing attempt through the user’s own real Google sign-in screen requesting to “continue to Google Docs” – a malicious 3-rd party app just pretending to be actual Google Docs asking to be granted access to victims’ email and address book. It’s important to remember that the real Google Docs platform doesn’t need permissions for an openly shared resource. Once malicious access has been granted, the email self-replicates by being sent to all of the victim’s contacts.
It is not the first time Google has been used in phishing scams.
Back in 2013 and 2014, a massive phishing wave exploited people’s trust in Google’s brand name by sending out emails prompting users to click on the hyperlink for access to “important” or “confidential” Google Docs files, with “Your Documents” or “Review the Documents” in the subject line
Those who clicked on those links were taken to a fake Google sign-in that collected login credentials such as account name and password, to be used the further account to send phishing emails to all of the people in the compromised account contact list or to gain access to various related Google accounts (Gmail, YouTube, etc.) and send fraudulent messages on the victim’s behalf.
How is this nasty phishing scam different from others?
This time around the main focus is not on how this scam spreads: there is no malware nor fake websites involved in obtaining users’ login credentials. Instead, it tricked the victim into granting access to a third-party application by working within Google’s system and a non-Google web application with an ambiguous name. This is a new spin on phishing and security companies are scrambling to keep it under control
Google reportedly has taken steps to neutralize this particular threat and informed the public via Twitter:
“We… disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team [Google Docs (@googledocs) May 3, 2017] is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail. [Google Docs (@googledocs) May 3, 2017].”
In reality, phishing methods constantly evolve and attacks will keep getting even more sophisticated in the future.
What can you do about this particular Google Docs scam cyberthreat?
Google supposedly now blocks this particular cyberattack from spreading, but there is no report on long-term solutions against this kind of fraud threat. Remember to follow these guidelines:
- Be vigilant and don’t open or click on anything you did not expect to receive, even from those you know. Contact the sender and verify the information they had sent is legitimate before opening.
- Protect your Google Account by periodically reviewing your online security settings.
- If you had already granted access to an app that you now question, you can always revoke that access through Google’s “Connected Apps and Sites” page. Here is an example for the Google Docs. where it will appear as “Google Docs.”
- Report phishing emails in Gmail to Google:
- On a computer, access your Gmail mailbox
- Open the email message you wish to report.
- Next to the Reply button, click the Down arrow.
- Click the Report phishing option.
- In addition to taking the steps above, it is important to report online scams. Law enforcement, consumer rights groups, and professional IT consultants like ourselves recommend filing a cyber incident report to the FBI’s IC3 Internet Complaint Center to help authorities investigate and battle these types of scams and similar fraudulent activities.