Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail, Google Docs Users Hit By Massive Email Phishing Scam (independent.co.uk)

Posted by BeauHD on from the be-on-the-look-out dept.

New submitter reyahtbor warns of a "massive" phishing attack sweeping the web: Multiple media sources are now reporting on a massive Gmail/Google Docs phishing attack. The Independent is among the top publications reporting about it: "Huge numbers of people may have been compromised by the phishing scam that allows hackers to take over people's email accounts. It's not clear who is running the quickly spreading scam or why. But it gives people access to people's most personal details and information, and so the damage may be massive. The scam works by sending users an innocent looking Google Doc link, which appears to have come from someone you might know. But if it's clicked then it will give over access to your Gmail account -- and turn it into a tool for spreading the hack further. As such, experts have advised people to only click on Google Doc links they are absolutely sure about. If you have already clicked on such a link, or may have done, inform your workplace IT staff as the account may have been compromised. The hack doesn't only appear to be affecting Gmail accounts but a range of corporate and business ones that use Google's email service too. If you think you may have clicked on it, you should head to Google's My Account page. Head to the permissions option and remove the 'Google Doc' app, which appears the same as any other." UPDATE 5/3/17: Here's Google's official statement on today's phishing attack: "We have taken action to protect users against an email impersonating Google Docs & have disabled offending accounts. We've removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail."

60 comments

  1. How ? by Archangel+Michael · · Score: 2

    How does clicking a link cause someone's account to be compromised? There is more to the story than clicking the link

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    1. Re:How ? by Archangel+Michael · · Score: 2, Informative

      Clicking the link doesn't hack the account. Adding permissions does. There is another "allow" button that actually causes the "hack" to work.

      Change your passwords folks.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    2. Re:How ? by Anonymous Coward · · Score: 5, Informative

      Changing a password doesn't invalidate the given app permissions if a user falls victim to this. The user's password isn't given over to the attacker. Changing the user's password won't do anything.

    3. Re:How ? by Anonymous Coward · · Score: 0

      1. You are assuming higher intelligence on the part of the programmer.
      2. You are assuming higher intelligence on the part of the user

      If you stop making those particular assumptions then all will become clear.

    4. Re:How ? by xxxJonBoyxxx · · Score: 5, Informative

      Here's how it appears to work:
      1) Phishing email appears to come from one of your associates (in the "from" name as the "hhh...@mailinator.com" is the address a dead giveaway to suspicious folks)
      2) You click on the link and it bounces you through a Google Oauth request, with parameters that will ask you to authorize either googledocs.gdocs.pro or googledocs.docscloud.win (either way, an attack site)
      3) You click "Yes, I'd like to authorize..."
      4) You end up on the attack site, and it grabs your contacts (except those with "google", "keeper" or "unty" in the name) and sends a fresh phishing email to all of them in slightly staggered batches

      Basically, it's an email worm that bounces through an attack site. Fortunately it uses an Oauth2 request, so Google probably spiked it by killing the client API ID, killing some domains, and also appears to have changed something else too. If the author had been a little more subtle, he would now have backdoors into the Gmail/Gdocs of hundreds of thousands of users. Instead, by scraping/spamming all contacts, he got detected and crushed.

    5. Re:How ? by fluffernutter · · Score: 3, Informative

      It looks like it is an OAuth confirmation. In that case all you need to do is say 'yes' and mystery website gets an access key for your account.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    6. Re:How ? by Anubis+IV · · Score: 5, Informative

      This is what's happening:
      1) You receive a convincing looking e-mail from a known contact, apparently sharing a Google Doc with you.

      2) Following the "Open the Doc" link directs you to Google's real pages for logging in, followed up by being prompted to grant permission to "Google Docs" to read, send, delete, and manage your e-mail, as well as your contacts. Clicking on "Google Docs" reveals that it's not the real app, but rather an app with the same name that's linked to some random gmail address. Again, all of this is still via Google's real pages.

      3) If you grant permission, you're compromised, because you've effectively given a rogue app full access to your account via the app API. They have full access to your e-mails and contacts, and will send e-mails to all of your contacts indicating that you shared a doc with them, thus perpetuating the scam.

      Notably, resetting your password will not revoke the scammer's access. Because you've granted the fake "Google Docs" app full permission to access your account via the app API, they have no need for your password. The best way to remove their access is by going to this Google page and removing access for the fake "Google Docs" app.

    7. Re:How ? by Anonymous Coward · · Score: 0

      That makes no sense. WTF does the password have to do with permissions?

    8. Re:How ? by Anonymous Coward · · Score: 0

      I got one of these today. It's clever. I have never seen a better phishing attempt! The e-mail claims someone sent you a google doc with an inline link that takes you to a legit google login page on a legit google domain. If you are already logged in (e.g. g-mail), it even skips the login page. Once you authenticate with google it asks you to grant permissions to an APP called "google docs". The next page prompts you to give that app permissions to access your account. Most people will click through because they believe that the app "google docs" is actually docs.google.com, and they want to see the "document" their friend just e-mailed them. Almost had me fooled!

      Summary : Someone created an app nefariously called "google docs" which uses the legit google api (i.e. the one that is used for allowing all sorts of other access to your google accounts, e.g. wearables, fitness trackers, etc.)... Once you voluntarily grant this rogue app complete permission to your account it's game over...

    9. Re:How ? by Anonymous Coward · · Score: 0

      No it doesn't. Please don't give advice on security matters unless you know what you're talking about.

    10. Re:How ? by Anonymous Coward · · Score: 0

      How does clicking a link cause someone's account to be compromised? There is more to the story than clicking the link

      CSRF
      XSS

      I hope you're not making dynamic websites.

    11. Re:How ? by Eeepeeep · · Score: 1

      A phish that uses a legitimate login page has to be a first. From what I've seen, anti-phishing education stresses distinguishing between fake and real login pages - that education is useless in this case. This seems to be a major flaw in how the google authentication page is designed. They may have patched this particular case but doesn't the underlying problem still exist?

    12. Re:How ? by Anonymous Coward · · Score: 1

      Ok, stupid question by someone who's never used Google Docs: why would you ever grant the permissions it was seeking? The screenshots I saw in the Ars Technica article showed that the app wanted full authority to read, send, delete, and manage your email as well as manage your contacts. Anyone who would grant an app those permissions is begging for trouble.

  2. Google Account by Anonymous Coward · · Score: 0

    Story is wrong.. there is no Permissions section

    1. Re:Google Account by David_Hart · · Score: 5, Informative

      Story is wrong.. there is no Permissions section

      The proper path is My Account, Sign-in & Security, Connected Apps and sites, Manage Apps. You'll see a list of Apps, just make sure that you haven't given permissions to the Google Docs app. If you have, click on the Google Docs app and click on Remove.

  3. Just Hit by jasnw · · Score: 2

    Dumped one of these into my mail trash just before I visited /. Suppsedly from 'office@metroroof.com' (a local vendor I used last year) to 'hhhhhhhhh@mailinator.com' with a bcc to my address. Told me that 'Jasmine Crews has shared a document on Google Docs with you." Had a button to click on reading 'Open in Docs'. I wonder what percent of people actually click on these things?

    1. Re:Just Hit by Sumus+Semper+Una · · Score: 4, Insightful

      I wonder what percent of people actually click on these things?

      Sadly, probably more than you'd think.

      I mean, I get it. Application/computer security isn't always straightforward to the layperson, and it's sometimes hard to tell what's a vulnerability and what isn't. You get an email from someone you know (or that looks like it might have been from someone you know) and you're curious what they're sharing with you. If you're not familiar with phishing patterns and how they usually have to generalize their messages and hide reflected XSS links, it can be tricky to spot a clever phishing attempt.

      I really wish there were an easy answer. So far, my best advice to less computer savvy friends and family has been to treat any unexpected or unprecedented links or attachments in their email with suspicion. But I know that sooner or later they'll find a legitimate email that they initially thought was suspicious and start to relax their guard. If anyone has better rules of thumb for less tech savvy family and friends, I'd love to hear it.

    2. Re:Just Hit by Anonymous Coward · · Score: 1, Insightful

      I wonder what percent of people actually click on these things?

      A lot, when they're sent from someone the recipient knows. That's the beauty of this worm, I guess. If you got one of these emails:

      1. It came from someone you've dealt with in the past.

      2. It actually did originate from that person's Gmail account.

      3. It was sent through Gmail's servers, there's no chain of 5 overseas bot IPs in the headers.

      4. The link actually went to accounts.google.com (eventually redirecting elsewhere).

      5. Clicking on the link brought up Google's real permissions page with information only Google could know (your other accounts, etc.).

      To a regular user, this thing looked totally legit. Even to a savvy/advanced user who knows how to inspect headers and hover over link destinations, it would still have passed the smell test. This was really, really, bad.

    3. Re:Just Hit by barakn · · Score: 1

      An email sent to hhhhhhhhhhhhhhhh@mailinator.com passes the smell test? There must be something wrong with your nose.

      --
      "I'm so moist I'm sticking to the leather." -Kermit the Frog on The Late Late Show
    4. Re:Just Hit by Shados · · Score: 1

      We got hit really hard at work by this. 2 of these emails went around, and they appeared to be sent from 2 of our engineers who routinely DO send google docs. The app was setup reasonably convincingly, and because oauth and so called "single sign-on" are really more like "a million sign on" because they never work quite right or ask you for credentials way too often, people are just used to having to approve everything all the time.

      So hundreds of people clicked the damn thing. Including a lot of pretty accomplished engineers. I probably would have to, except my teammate got hit first and warned me before I saw the email.

    5. Re:Just Hit by Anonymous Coward · · Score: 0

      The idea that someone emailing me may have accidentally typed garbage into the To box wouldn't raise any red flags by itself. I've seen all sorts of junk appear in legitimate messages. The fun ones are when I get email where the To header is something like

      To: MyFirstname@sender.com, MyLastname@sender.com,

      ...because the sender screwed up entering me into their address book, and their mail system assumed the two words without @domain.parts must be local addresses. Which means those addresses, if they exist, got a copy of the message. People are clumsy.

    6. Re:Just Hit by Anonymous Coward · · Score: 0

      That should have read:

      To: MyFirstname@sender.com, MyLastname@sender.com, <myrealaddress@my.com>

      Filtering ate the last one.

    7. Re:Just Hit by Bongo · · Score: 1

      One of the hardest things is that, the interface trains the user into trusting it and even obeying it.

      "Enter your password:"

      The fact that malware can, in one way or another, get any influence over the interface, is what sinks most things.

      Basically, your computer may be corrupted by anything it comes into contact with, so don't trust it.
      And if you get caught out, well it is the fault of the technology and the developers.
      So don't trust your computer with anything really important, because it is already flawed in ways you can't imagine. And accept the risks. After all, people drive their cars everyday. The convenience just outweighs the risks.

    8. Re:Just Hit by Anonymous Coward · · Score: 0

      It's possible to clink the link before noticing the suspicious bcc address. I received the email from a friend who I consider fairly intelligent and computer savvy, and I made the same mistake as her (email looks legitimate enough; and it's easy to click the link before noticing the suspicous hhh...@mailnator.com email address)

    9. Re:Just Hit by Gamer_2k4 · · Score: 1

      For me, it was the perfect combination of several factors:

      1) I had shared documents with the person before, so this wasn't out of the ordinary.
      2) We had just got done planning an event, which we often use Google Docs for.
      3) I get share requests just often enough to not think anything of them, but not so often that I have a perfect image in my head of what an invite is supposed to look like.
      4) My work network is such that I'm used to my authentication not being saved for sites, so it was normal that I had to log in again.

      I haven't fallen for a scam like this for over a decade, so it was certainly embarrassing. Luckily I removed access to the app just moments after I realized what had happened, and no one in my contacts opened the link. Guess they were wiser than I was.

    10. Re:Just Hit by Anonymous Coward · · Score: 0

      >I wonder what percent of people actually click on these things?

      But remember, the 'app' which asks to be given the permissions is literally called 'Google Doc' app, not ZappV1ru5.EXE.
      This straight up facade is more convincing. The correct approach is to not believe such emails to begin with. Because once you entertain its legitimacy, it will look real.

    11. Re:Just Hit by ArsenneLupin · · Score: 1

      If you use Google Docs that often, you'd already have granted it all needed permissions. So it should raise some eyebrows if "Google Docs" asks for "those" permissions again

  4. in other news... by Anonymous Coward · · Score: 0

    Centralization continues to be a bad idea. News at 11.

  5. Better Explanation by jetkust · · Score: 4, Informative

    Also with a gif of the attack.
    http://bgr.com/2017/05/03/goog...

    "It starts with an email from a known contact, which says that the person has shared a Google Doc with you. You’re invited to click the link to open, which redirects you to a legitimate Google sign-in page. You’re prompted to select one of your Google accounts (remember: this is all using Google’s normal sign-in system), and then authorize a legit-looking app called “Google Docs” to manage your emails."

    "That’s how the scam works: the app called “Google Docs,” which requests permission to read, send and delete emails, isn’t really a Google app. Rather, it’s an app controlled by the hackers. It seems that once it has permission to manage your email, it secretly sends out a bunch of emails to all your contacts, with the same phishing link."

    1. Re:Better Explanation by Anonymous Coward · · Score: 0

      Yikes, it shouldn't be so easy to allow someone access to all your email or documents. I can see requesting permission to see one document though.

    2. Re:Better Explanation by ljw1004 · · Score: 2

      So presumably Google could nip this in the bud by removing the OAUTH credentials for the third-party app named "Google Docs".

      And they could avoid these problems in the future by denying registration of any app that claims to be called Google unless it's written by Google, and likewise Dropbox or Microsoft or Apple or Facebook.

    3. Re: Better Explanation by Anonymous Coward · · Score: 0

      Better still would be for users to have a default option to "never allow third party apps access to my account/mail/contacts etc " which can be manually disabled somewhere within account settings, with a warning,

    4. Re:Better Explanation by Gamer_2k4 · · Score: 1

      Yikes, it shouldn't be so easy to allow someone access to all your email or documents. I can see requesting permission to see one document though.

      The thing is, innocuous apps ask all the time for access you wouldn't think they'd need, and users are used to granting permissions. MyFitnessPal, for example, needs access to your phone's camera for its UPC scanner. On the surface, it seems odd that a calorie counting app needs camera access, but it's easy to say, "Well, I want to use the app, so whatever, I guess."

      And why wouldn't Google Docs (the legitimate one) need access to your email and other documents? That's pretty much its whole point, after all.

  6. Google is on top of it by Mr.Intel · · Score: 4, Informative

    Had an acquaintance get hit with this and received the phishing attempt. Didn't click the link because of the red flags (non-specific document name and the TO address) but sent him a warning and a link to this story. He replied telling me he knew about it and their IT department was handling it. I replied back but it bounced. I changed the subject, removed the phishing link in the quoted email thread and it went through. Looks like google is blocking these messages from being sent/received at all. Fairly recent change as well.

    --
    ASCII tastes bad dude.
    Binary it is then.
  7. Cloud by fluffernutter · · Score: 0

    Wow, what's this thing called the cloud? Having all your files available on the internet all the time sounds like a GREAT IDEA!

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  8. Could you have submitted a worse link? by Pollux · · Score: 4, Informative

    Comment to submitter... next time, please find an article that provides a much better summary without all the gratuitous clickbait links, please. Like this one, or this one.

    Anyways, in short, the doc makes an OAuth request for access to the user's e-mail and contacts. And since every user blindly accepts permissions such as these whenever they add an app to their phone, we had a lot of users at our district click "Accept".

    Mod points to anyone who can parse the source code and summarize what it does, besides mass-email everyone in the contact list a copy of itself.

    1. Re:Could you have submitted a worse link? by Anonymous Coward · · Score: 0

      I'm hardly an expert, but it looks to me like it does nothing except get your contacts and email itself out. Harmless worm, I think.

    2. Re:Could you have submitted a worse link? by rudy_wayne · · Score: 2

      Comment to submitter... next time, please find an article that provides a much better summary without all the gratuitous clickbait links, please.

      You must be new here.

    3. Re:Could you have submitted a worse link? by Anonymous Coward · · Score: 0

      -1 Troll

      Heh, truth hurts, huh?

  9. Only apps can app apps! by Anonymous Coward · · Score: 2, Informative

    This is just an app doing what apps do: apping other apps! Only LUDDITES hate apps that app other apps!

    Apps!

  10. Russia by WillAffleckUW · · Score: 0

    We charged the Trump crime family today and served a number of their operatives warrants.

    What? You thought it was a joke?

    It's the cold war, baby, we're back. And the protocols worked.

    --
    -- Tigger warning: This post may contain tiggers! --
  11. How Did they Get that Name? by cboyle · · Score: 4, Interesting

    Anyone have any ideas how the attacker was able to register the name "Google Docs" with Google? I assume you're not supposed to be able to do this or we would have seen this attack much earlier. My original guess was that the name was in non-Latin (Unicode) letters with the same appearance as Latin letters, but my primitive method of copying and pasting into Python and checking for equality with the plain Latin string indicated this wasn't the case.

    1. Re:How Did they Get that Name? by GNious · · Score: 1

      Same way there's 1700 Android and iOS apps called Pokémon Go, Mario Run and so on?

    2. Re:How Did they Get that Name? by Anonymous Coward · · Score: 0

      There are?
      Oh man, I need to get downloading and soon!
      I did not realize there was such a multiple version treasure trove of my favorite games!

      *click
      *click
      *click
      *Oh wait... something's happening. WTF??!?

    3. Re:How Did they Get that Name? by cboyle · · Score: 1

      Is that true? Could you provide a link to an app in the iOS store other than Pokémon Go that is named "Pokémon Go"? Note that I'm not talking about apps with names like "Guide for Pokémon Go"; this attack involved being able to name the app "Google Docs"–seemingly identical to the name of the original app by Google. I'd assume they'd block even sort-of similar names, e.g. "GoogIe Docs" with a capital "i" instead of a lower-case "L".

    4. Re:How Did they Get that Name? by Anonymous Coward · · Score: 0

      Anyone have any ideas how the attacker was able to register the name "Google Docs" with Google?

      Let's just shut down this one app and ban future uses of this specific deceptive name. That should solve the problem for good.

  12. Yes. by waspleg · · Score: 2

    This is hitting school districts hard in my state. We invariably have people click on phishing scams and it only takes a couple per building to be a real problem.

  13. What to tell the novices... by Traverman · · Score: 1

    The question has been asked, here and elsewhere, what we possibly could have told the novices out there in order to immunize them against this sort of attack. The question is even more relevant now that this proof of concept has been a smashing success, which must surely have emboldened other bad guys to improve up on it.

    Just tell them to deny any request, even from a trusted entity, to obtain permissions or passwords to another service they use, even if, as in this case, the service (Google Docs) is under the same roof as the message delivery service (GMail).

    This means:

    NO autodebit. (Just give us your account numbers and Telephone Inc will autodebit your monthly bill!)

    NO autoimport. (Just import all your tax data using your MyBux.com password, and we'll do the rest!)

    NO autosubscription. (For just $9.99 automatically billed to your credit card every month, Happy Music will deliver unlimited music!)

    And above all NO permissions to your personal accounts for ANYONE other than on a doc-by-doc basis for the sake of collaboration, in which case grant the permission manually by going to Google Docs (or whatever collaboration app) and explicitly adding the person by his/her email address, NOT his/her name, which might map to a different email address.

    The only thing you can safely give out is your wifi password, because all routers should be presumed pwned. Practice good endpoint security, and give up on everything else.

    1. Re:What to tell the novices... by Anonymous Coward · · Score: 0

      Even easier advice: NEVER EVER EVER EVER click a link in an email. It doesn't matter what it is or whom it is from.

    2. Re:What to tell the novices... by Anonymous Coward · · Score: 0

      what we possibly could have told the novices out there in order to immunize them against this sort of attack.

      Do not participate in "ecosystems" like mobile app stores, Facebook apps like Farmville, and Google "APIs" like OAuth webapp-to-webapp screens like the one used here.

      Why? The security model is "jump in and fool around, wheeee!" because they are incented to court developers into their walled garden by making the users more exploitable within it. They have a variety of nicer ways of putting this to themselves, but that's what they're doing, and whenver it comes time to make a hard choice, like:

        - how should we present the name of this app?
        - how easy should we make it to grant this permission?
        - should we allow binding apps to incognito accounts?
        - should we allow presenting mock data to apps?
        - should we offer data to apps one record at a time with a dialog not controlled by the app, analagous to "file upload" in a web browser, or should we just grant the app "background filesystem access"?

      they always make the choice that puts the ecosystem ahead of the user.

      Avoid all of this mess. Don't use apps on your phone. Don't use app-like things on the web. The companies operating the ecosystems have demonstrated they're either incompetent or untrustworthy, including Google, in spite of the great work they've done on Chrome.

  14. Hacker by Anonymous Coward · · Score: 0

    Here’s how to know for sure if your spouse is really cheating on you or not.I was introduced to leehacks92@gmail.com,he’s a professional hacker and computer systems analyst,i contacted him and told him what i needed and he decided to help me out,i paid for the service and he delivered in perfect timing.It turns out my husband was a serial cheater after all,i was devastated to find out about the news but at the same time i was happy to find out early enough to know that i deserve better and move on with my life!

    1. Re:Hacker by Anonymous Coward · · Score: 0

      And here I thought the only person dumb enough to spam Slashdot is APK.

    2. Re:Hacker by Anonymous Coward · · Score: 0

      No complaints from me, I like APK's spam. Reminds me to use a host file. Also, his stuff is free. - by aaaaaaargh! (1150173) on Tuesday November 17, 2015 @09:31AM (#50947415)

  15. already done by s.petry · · Score: 1

    This was done by about noon PST yesterday (5/3). Sites hosting the phishing attack were off line and DNS for many/most simply vanished. Email addresses were harvested already, which seems to be the point of the campaign. That, and to validate massive scale manipulation of Google's OAUTH. To the bad guys, it was a big success.

    The subject of many/most of these emails was "hhhhhhhhh" (maybe a few more "h"s), so quite honestly people should have known something was wrong. Still, it appears to come from someone trusted, so many people bit the hook on the phishing.

    Luckily this was not hosting or abusing malicious code behind it. At least, from the investigating I did yesterday that was the case.

    Rules for the masses: Never open attachments you don't expect, even if you know the source. If the message subject and body look bad, the message most likely is too. Sadly even companies with massive education programs teaching these rules were beat up by this one.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    1. Re:already done by ljw1004 · · Score: 1

      Rules for the masses: Never open attachments you don't expect, even if you know the source.

      This comes on the same day that we read news about a spear-phishing attempt which sends dodgy Word attachments to folks in the hospitality industry. The common comment I saw there was "If you see a document whose providence you don't trust, then open it in Google Docs or other online document viewer, so at least you'll be safe" ... :(

    2. Re:already done by s.petry · · Score: 1

      Opening a Word document in Google Docs is a "fix" for Word macro based viruses. LibreOffice works the same (and I recommend this over Google), because neither has the same macro language nor do they allow the same activities in Macros.

      What you hint at, is making end users responsible for security. Not an easy task.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    3. Re:already done by Eeepeeep · · Score: 1

      The subject was "XXXX has shared a document on Google Docs with you". That is the exact subject format for legit use of Google Docs sharing. The To in the body was "hhhhhhhhhhhhhhhh@mailinator.com" - that should have been the giveaway. I believe most if not all email clients will display this string (my Outlook will) - however, if the phishing program had used the name from the address book (it already had the email address from the address book) then this would have fooled ever more people.