Approximately one million people have had their Gmail account accessed by a phishing scam involving a Google Docs email yesterday.
Victims received emails from trusted contacts, asking them to open a Google Doc. As soon as the recipient clicks through, they are asked to give away permissions to an app imitating Google Docs, namely the ability to read, send, delete and manage email, as well as manage contacts. For the user, once they click through, nothing happens. But the attacker is effectively given access to Gmail. It appears whoever created the worm, used the access they gained to users' contacts, to spread the scam.
Google commented by saying, "We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed."
What to do
For anyone who is concerned, we recommend you do the following:
- Look very carefully at all your Google Docs messages. The phishing emails will typically say something like: " ___ has invited you to view the following document," with the recipient in the BCC field. That is the first clue something phishy is going on, added to the fact that the only other visible email address in the to field is hhhhhhhhhhhhhhhh@mailinator[.]com, a temporary account on Mailinator. See screenshot below.
- Go to https://myaccount.google.com/permissions and revoke any permissions given to an app called Google Docs. This will likely prevent the scammer from being able to access your Google account. Google should have removed this for you already.
There is unfortunately one issue for victims who did click through. The attacker could have automated the scam and copied the user’s Gmail account already. In this case, there is not much to be done other than hope nothing sensitive was stolen and that proactive measures are being taken against those who perpetrated the hack.
Is it a Russian attack?
Some are suggesting that given the similarities between this fresh phishing scam and the past activity of the DNC hackers, known as APT28, the Google phishers could be the allegedly Kremlin-backed crew.
Regardless of who's behind this hit, it may be the biggest phishing scam seen for some time. Google says it is taking further action to prevent similar attacks in the future, but for now—it is best to be wary, be careful, and keep your eyes open for suspicious emails.
If you think you were affected, visit http://g.co/SecurityCheckup.
BTA is a Managed Service Provider and one of the most established IT providers in London. Offering comprehensive IT support services ranging from security to hardware procurement, BTA will ensure your IT runs efficiently as possible. For more information on BTA’s IT services, please contact email@example.com today.