Google appears to have shut down a phishing scam that this week tricked numerous Gmail users into accepting bogus invitations to share a Google Doc with people they know. However, it's possible that those who fell for the scam, as well as anyone in their email contacts, could be targeted in future phishing schemes.
The Google Docs worm, as security experts are describing it, presented Gmail recipients with a legitimate-looking email that said one of their contacts had invited them to view a shared file in Google Docs. Upon clicking the email, however, users were directed to a link that appeared to come from Google Docs, but actually gave an unverified third-party app access to their email accounts and contacts.
Yesterday, Google said that it had "disabled offending accounts," removed fake pages and taken steps to "prevent this kind of spoofing from happening again." The company also began rolling out a new security feature for Gmail on Android that will show a phishing warning if users click on suspicious links in messages.
Millions Could Have Been Affected
While Google did not release any details about how many users might have been affected by the Google Docs worm, computer security analyst Graham Cluley noted in a blog post today that millions could have received such phishing emails.
"The likelihood is that someone was attempting to harvest a large number of contact details, perhaps with the intention of selling them for profit to spammers and scammers," Cluley said. "The attack appears to have been too aggressive and worm-like to have been intended as a targeted attack against a particular group, but it's interesting to note that just over a week ago researchers at Trend Micro blogged how the state-sponsored Pawn Storm hacking group was abusing OAuth in a similar fashion in an attempt to phish login credentials."
OAuth is the Open Authorization standard that enables online users to access third-party services without having to re-enter an account password. In the case of the Google Docs worm, the suspicious emails linked to a legitimate Google Docs OAuth permissions page, but then sought access approval not for the real Google Docs but for a suspicious third-party app with the same name.
Scam Email Was 'Convincing'
The Google Docs worm was able to fool people into authorizing third-party access to that suspicious app because the email it was attached to appeared to legitimately come from Google, reviews editor Ron Amadeo said yesterday on Ars Technica. One of the only ways a recipient could tell the message was fake was by opening the drop-down information for the purported Google Docs app on the OAuth link.
Rather than identifying the app as Google, the drop-down menu showed the "Google Docs" app seeking third-party access was from a developer with the email firstname.lastname@example.org asking to redirect the recipient to a "Google sounding" URL.
"For a time, the worm had total access to the victim's email, so, in addition to spamming all your contacts, it could have copied all your emails (and all your Hangouts chats) to a third-party server," Amadeo said. "In the future, this method could be used for more phishing attempts, since the nefarious party knows your email and product combinations. It could also be used for a public dump of VIP emails, like what happened to the DNC."
That final sentence refers to the public dump of Democratic National Committee emails that were posted online by WikiLeaks after the Gmail account of John Podesta, Hillary Clinton's presidential campaign chairman, was compromised last year.
"One imagines that Google will be looking out for attacks like this in future and may block attempts by other malicious actors to create apps that pose as official Google properties," Cluley said.
To avoid being taken in by similar scams in future, "[n]ever accept OAuth token requests from an unrequested service or person. Regularly check what applications you have granted access to your accounts. If you see a suspicious app connection, immediately revoke its access," he added.
Image credit: Product shot by Google.
Posted: 2017-05-07 @ 3:59am PT
Even though you give sound advice in how not to fall prey to these emails some people will still open them.
Posted: 2017-05-05 @ 11:41am PT
@Albert: Check in directly with Google's Gmail Help Forum for assistance.
Posted: 2017-05-05 @ 11:37am PT
How can you fix my gmail so it will run again.