Google Docs users hit with sophisticated phishing attack

If someone invites you to edit a file in Google Docs today, don’t open it — it may be spam from a phishing scheme that’s been spreading quickly this afternoon. As detailed on Reddit, the attack sends targets an emailed invitation from someone they may know, takes them to a real Google sign-in screen, then asks them to “continue to Google Docs.” But this grants permissions to a (malicious) third-party web app that’s simply been named “Google Docs,” which gives phishers access to your email and address book.

The key difference between this and a very simple email phishing scheme is that this doesn’t just take you to a bogus Google page and collect your password — something you could detect by checking the page URL. It works within Google’s system, but takes advantage of the fact that you can create a non-Google web app with a misleading name. Here’s what the permissions screen looks like, for example:

If you check the title for developer information, though, you’ll get something like this:

Here’s the whole process, from start to finish:

If you’ve clicked the link, your account may have already sent spam messages to the people in your address book. But you can revoke future access through Google’s “Connected Apps and Sites” page; where it will appear as “Google Docs.”

We’re still not sure exactly how widespread the attack is, but journalists from several outlets — including The Verge — have received spam emails.

In a statement issued this afternoon, Google says it’s taken measures to stop the spread of the attack and resolve the problem at its core:

We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts,” the company said in a statement. “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.

Update 4:00PM ET, 5/3: We’re seeing reports that Google has disabled the application, although we’re still not sure exactly how far it’s spread, or if the attack might continue through another application.

Update 4:25PM ET, 5/3: Google has also said it is “investigating” the issue, warning users not to click on links in the meantime.

Update 5:17PM ET, 5/3: Added official statement from Google confirming the issue has been resolved.

Comments

can we trust that connected apps and sites link on your page?

The URL is correct. But if you’re concerned about a man in the middle from where you are:

From a device you trust and in a Google app, profile in top right → my account → sign in and security → connected apps and sites in the sidebar → manage apps

I just got one of these a minute ago. The URL is a dead giveaway.

I work at a large tech company and have received 4 of these from other people at the company so far today.

Ah, another large tech company that’s forgotten to block Google docs.

I am ashamed to admit they got me with this as the link was going to a legitimate google authentication page.

We got it here today at your school. I was following a thread on Reddit about it. It’s bad. So many people just got their private and work Email sent off for reading latter. What blows my mind is how Google didn’t have some validity check in place for 3rd party apps named "Google". On the plus side Google did shut it down within a hour.

What blows my mind is how Google didn’t have some validity check in place for 3rd party apps named "Google".

That is a very good question.

I was thinking about that too — unless we find out this name is using some non-english characters that just so happen to look like "Google", I guess Google didn’t block using the name "Google" in your app name so people could make apps like "Sync with Google Docs" or something. Still, it seems like a trademark issue, too.

Safe computing:

Don’t click on email links you didn’t ask for.

Email your friend and ask him if he sent the link before you click on it.

Been telling people this for 20 years.

What if your friends email you several time a day and you are working on a project with him. You gonna ask him if he sent it every time you get an email from him?
Would he also has to reply back to you asking if you really sent said email.

That is where the first rule applies. If your working on a project, and you get a link to a non project page. You should question it. Always be skeptical on the internet… It will take you a long way.

It’s hard when your Differential Equations professor sends this phishing link they same day as your final. I have a pretty good track record and this one got me and most of my school.

and you are working on a project with him.

You just answered your own question. A phishing attack isn’t (yet) smart enough to add in a subject line based on personal history. So again, the rule applies:

If you get an ambiguously worded email from anyone trying to get you to click on something, don’t.

I got one of these this morning, knew right away that it had to be a phishing attempt and deleted it.

My elementary school got it, and quite a few teachers clicked on it. I didn’t click on it, as it looked fishy from the start, but I notified the tech department and they notified the rest of us. Still, people clicked it after being notified. Teachers are easy pickings!

Have you got any evidence that this attack was sophisticated (other than that guy on twitter)?

The increasing use of the word "sophisticated" to describe any cyber attack harms the entire industry:

Sophisticated to unsuspecting public who thinks clicking on colorful icons on touchscreens is "computing", and to media outlets who like to use sensationalist buzzwords to attract more clicks.

View All Comments
Back to top ↑