Date:4 May 2017
The latest phishing scam sweeping the web is better than most. Don’t click!
By Eric Limer
If you get a request to access a Google Doc, don’t click it. As you may have heard, there’s a phishing scam going around, a con intended to steal your information and pass itself on to all your friends and contacts. Once you are aware of it, it’s simple to avoid, but underneath the hood it looks to be a savage and clever bit of cyber theft.
Update: Google offered the following statement
“We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”
Ed: Even though Google claims the phishing scam has been remedied, we thought we’d still share the details to spread awareness.
In practice, the scam works like this: You get an email from a friend asking you to look at a Google Doc. When you click yes, Google Docs asks for permission to your account, including the permission to see and manage your email, as well as your contact lists. So far, you’re fine, but the second you click that button, your account will send out messages to all of your contacts with a link similar to the one you got in an attempt to spread itself further. Then it disappears. It even deletes itself from your account, having squirrelled away plenty of your data no doubt.
That’s bad enough, but what’s really terrifying is the degree to which the scam is undetectable, as Redditor JakeSteam points out. Most phishing scams are possible to spot because, to some degree or another, they don’t look right. Hackers sending fake Google emails or invites have to fake all kinds of elements only Google would be able to replicate. Often they’re sent from shifty domains, like Gmaii.com (with the second i capital) instead of Gmail or Google. Sometimes they contain links out to URLs that are clearly not Google-owned or are effectively obscured by link shortening services like Bit.ly. This scam, it seems, suffers from none of these failings because it is done almost completely through Google’s legitimate system.
This phishing scam appears to use an actual legitimate third-party Google application that somehow got the name “Google Docs.” Therefore, when it asks for permission to access your account, it’s doing so on the up and up. Since it’s using Google’s actual framework, it doesn’t have to fake anything, making it next-to-impossible to spot. It’s not stealing your password through nefarious means or anything; it is legitimately asking for access to your account and even spelling out what that access is before you click. It’s basically a worst case scenario for how hackers can get into your account without your password, simultaneously bypassing measures like two-factor authentication.
In practice, the only real way to spot the scam if you aren’t already on guard is to click the hyperlink that says “Google Docs” on the screen that asks you to allow it access to your account. Doing this, JakeStream points out, reveals it is published by a strange, random Google account, not Google itself. Otherwise, since this is just a third-party app, it appears as a completely legitimate request because it is—the vulnerability being exploited is whichever one the maker used to “Google Docs” as a name. This is not a robber in black, kicking down your door. It’s your mailman, knocking on your door and delivering a package that’s actually addressed to you, but as soon as you open it, a thief pops out and steals your TV. The vulnerability isn’t your lock, it’s that the Post Office didn’t catch a thief trying to mail himself.
The main flaw of the hack, if you can even call it a flaw, seems to be that it was perhaps a little trigger happy. With cover as impenetrable as this, the phishing attack might have been able to circulate for weeks or months without large scale detection, but the recent flood of messages seems to have given it away. Though who knows how long it may have been out there before the dam broke on Wednesday afternoon.
In the meantime, be careful. Don’t give any applications permission to your account unless you’ve vetted them as best as you can. And don’t click on any Google Doc requests you aren’t expecting for a while.
This article was originally written for and published by Popular Mechanics USA.