Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail, Google Docs Users Hit By Massive Email Phishing Scam (independent.co.uk)

Posted by BeauHD on from the be-on-the-look-out dept.

New submitter reyahtbor warns of a "massive" phishing attack sweeping the web: Multiple media sources are now reporting on a massive Gmail/Google Docs phishing attack. The Independent is among the top publications reporting about it: "Huge numbers of people may have been compromised by the phishing scam that allows hackers to take over people's email accounts. It's not clear who is running the quickly spreading scam or why. But it gives people access to people's most personal details and information, and so the damage may be massive. The scam works by sending users an innocent looking Google Doc link, which appears to have come from someone you might know. But if it's clicked then it will give over access to your Gmail account -- and turn it into a tool for spreading the hack further. As such, experts have advised people to only click on Google Doc links they are absolutely sure about. If you have already clicked on such a link, or may have done, inform your workplace IT staff as the account may have been compromised. The hack doesn't only appear to be affecting Gmail accounts but a range of corporate and business ones that use Google's email service too. If you think you may have clicked on it, you should head to Google's My Account page. Head to the permissions option and remove the 'Google Doc' app, which appears the same as any other." UPDATE 5/3/17: Here's Google's official statement on today's phishing attack: "We have taken action to protect users against an email impersonating Google Docs & have disabled offending accounts. We've removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail."

10 of 60 comments (clear)

  1. Re:How ? by Archangel+Michael · · Score: 2, Informative

    Clicking the link doesn't hack the account. Adding permissions does. There is another "allow" button that actually causes the "hack" to work.

    Change your passwords folks.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  2. Re:How ? by Anonymous Coward · · Score: 5, Informative

    Changing a password doesn't invalidate the given app permissions if a user falls victim to this. The user's password isn't given over to the attacker. Changing the user's password won't do anything.

  3. Better Explanation by jetkust · · Score: 4, Informative

    Also with a gif of the attack.
    http://bgr.com/2017/05/03/goog...

    "It starts with an email from a known contact, which says that the person has shared a Google Doc with you. You’re invited to click the link to open, which redirects you to a legitimate Google sign-in page. You’re prompted to select one of your Google accounts (remember: this is all using Google’s normal sign-in system), and then authorize a legit-looking app called “Google Docs” to manage your emails."

    "That’s how the scam works: the app called “Google Docs,” which requests permission to read, send and delete emails, isn’t really a Google app. Rather, it’s an app controlled by the hackers. It seems that once it has permission to manage your email, it secretly sends out a bunch of emails to all your contacts, with the same phishing link."

  4. Re:Google Account by David_Hart · · Score: 5, Informative

    Story is wrong.. there is no Permissions section

    The proper path is My Account, Sign-in & Security, Connected Apps and sites, Manage Apps. You'll see a list of Apps, just make sure that you haven't given permissions to the Google Docs app. If you have, click on the Google Docs app and click on Remove.

  5. Google is on top of it by Mr.Intel · · Score: 4, Informative

    Had an acquaintance get hit with this and received the phishing attempt. Didn't click the link because of the red flags (non-specific document name and the TO address) but sent him a warning and a link to this story. He replied telling me he knew about it and their IT department was handling it. I replied back but it bounced. I changed the subject, removed the phishing link in the quoted email thread and it went through. Looks like google is blocking these messages from being sent/received at all. Fairly recent change as well.

    --
    ASCII tastes bad dude.
    Binary it is then.
  6. Re:How ? by xxxJonBoyxxx · · Score: 5, Informative

    Here's how it appears to work:
    1) Phishing email appears to come from one of your associates (in the "from" name as the "hhh...@mailinator.com" is the address a dead giveaway to suspicious folks)
    2) You click on the link and it bounces you through a Google Oauth request, with parameters that will ask you to authorize either googledocs.gdocs.pro or googledocs.docscloud.win (either way, an attack site)
    3) You click "Yes, I'd like to authorize..."
    4) You end up on the attack site, and it grabs your contacts (except those with "google", "keeper" or "unty" in the name) and sends a fresh phishing email to all of them in slightly staggered batches

    Basically, it's an email worm that bounces through an attack site. Fortunately it uses an Oauth2 request, so Google probably spiked it by killing the client API ID, killing some domains, and also appears to have changed something else too. If the author had been a little more subtle, he would now have backdoors into the Gmail/Gdocs of hundreds of thousands of users. Instead, by scraping/spamming all contacts, he got detected and crushed.

  7. Re:How ? by fluffernutter · · Score: 3, Informative

    It looks like it is an OAuth confirmation. In that case all you need to do is say 'yes' and mystery website gets an access key for your account.

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  8. Could you have submitted a worse link? by Pollux · · Score: 4, Informative

    Comment to submitter... next time, please find an article that provides a much better summary without all the gratuitous clickbait links, please. Like this one, or this one.

    Anyways, in short, the doc makes an OAuth request for access to the user's e-mail and contacts. And since every user blindly accepts permissions such as these whenever they add an app to their phone, we had a lot of users at our district click "Accept".

    Mod points to anyone who can parse the source code and summarize what it does, besides mass-email everyone in the contact list a copy of itself.

  9. Re:How ? by Anubis+IV · · Score: 5, Informative

    This is what's happening:
    1) You receive a convincing looking e-mail from a known contact, apparently sharing a Google Doc with you.

    2) Following the "Open the Doc" link directs you to Google's real pages for logging in, followed up by being prompted to grant permission to "Google Docs" to read, send, delete, and manage your e-mail, as well as your contacts. Clicking on "Google Docs" reveals that it's not the real app, but rather an app with the same name that's linked to some random gmail address. Again, all of this is still via Google's real pages.

    3) If you grant permission, you're compromised, because you've effectively given a rogue app full access to your account via the app API. They have full access to your e-mails and contacts, and will send e-mails to all of your contacts indicating that you shared a doc with them, thus perpetuating the scam.

    Notably, resetting your password will not revoke the scammer's access. Because you've granted the fake "Google Docs" app full permission to access your account via the app API, they have no need for your password. The best way to remove their access is by going to this Google page and removing access for the fake "Google Docs" app.

  10. Only apps can app apps! by Anonymous Coward · · Score: 2, Informative

    This is just an app doing what apps do: apping other apps! Only LUDDITES hate apps that app other apps!

    Apps!