Slashdot Mirror
Gmail, Google Docs Users Hit By Massive Email Phishing Scam (independent.co.uk)
New submitter reyahtbor warns of a "massive" phishing attack sweeping the web: Multiple media sources are now reporting on a massive Gmail/Google Docs phishing attack. The Independent is among the top publications reporting about it: "Huge numbers of people may have been compromised by the phishing scam that allows hackers to take over people's email accounts. It's not clear who is running the quickly spreading scam or why. But it gives people access to people's most personal details and information, and so the damage may be massive. The scam works by sending users an innocent looking Google Doc link, which appears to have come from someone you might know. But if it's clicked then it will give over access to your Gmail account -- and turn it into a tool for spreading the hack further. As such, experts have advised people to only click on Google Doc links they are absolutely sure about. If you have already clicked on such a link, or may have done, inform your workplace IT staff as the account may have been compromised. The hack doesn't only appear to be affecting Gmail accounts but a range of corporate and business ones that use Google's email service too. If you think you may have clicked on it, you should head to Google's My Account page. Head to the permissions option and remove the 'Google Doc' app, which appears the same as any other." UPDATE 5/3/17: Here's Google's official statement on today's phishing attack: "We have taken action to protect users against an email impersonating Google Docs & have disabled offending accounts. We've removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail."
I wonder what percent of people actually click on these things?
Sadly, probably more than you'd think.
I mean, I get it. Application/computer security isn't always straightforward to the layperson, and it's sometimes hard to tell what's a vulnerability and what isn't. You get an email from someone you know (or that looks like it might have been from someone you know) and you're curious what they're sharing with you. If you're not familiar with phishing patterns and how they usually have to generalize their messages and hide reflected XSS links, it can be tricky to spot a clever phishing attempt.
I really wish there were an easy answer. So far, my best advice to less computer savvy friends and family has been to treat any unexpected or unprecedented links or attachments in their email with suspicion. But I know that sooner or later they'll find a legitimate email that they initially thought was suspicious and start to relax their guard. If anyone has better rules of thumb for less tech savvy family and friends, I'd love to hear it.
I wonder what percent of people actually click on these things?
A lot, when they're sent from someone the recipient knows. That's the beauty of this worm, I guess. If you got one of these emails:
1. It came from someone you've dealt with in the past.
2. It actually did originate from that person's Gmail account.
3. It was sent through Gmail's servers, there's no chain of 5 overseas bot IPs in the headers.
4. The link actually went to accounts.google.com (eventually redirecting elsewhere).
5. Clicking on the link brought up Google's real permissions page with information only Google could know (your other accounts, etc.).
To a regular user, this thing looked totally legit. Even to a savvy/advanced user who knows how to inspect headers and hover over link destinations, it would still have passed the smell test. This was really, really, bad.