It was just last week that we covered the Punycode phishing attack. A week before that, we were talking about fake VPN services pretending to be affiliated with legit, big name services. Today’s phishing attack is masquerading as a Google Docs file. The short version of the attack is you are invited to a Google Docs file. If you join it and give it the extra bit of access it wants, you inadvertently give someone else access to your emails. Everything from the Google Docs email you receive to the account selection page is legit until you need to give the ‘document’ access to your emails. The good news is, a Googler was quick to find this attack reported on Reddit and has shut it down. The details are here.
The Google Docs Phishing Scam
Reddit user JakeSteam posted in r/Google about how he almost fell for this new Google Docs phishing scam. The email was real, the account selection screen was real, and the sender looked familiar. What tipped him off was an extra bit of access that he was asked to give.
This specific permission would allow Google Docs to access his account (image credit: Reddit user JakeSteam). Jake clicked ‘Google Docs’, which turned out to be, not the actual Google Docs app but something published by a Gmail account he didn’t recognize.
What’s At Risk?
The ‘Google Docs’ is basically an app. It’s asking to access your emails. The information is being sent to a random person. If said person were to gain access to your email, they could reset every password on every account you own. This includes online banking accounts, Dropbox, Facebook, Twitter, and more.
It’s clever because it calls itself ‘Google Docs’. The email Jake received told him a Google Docs file was shared with him. A less diligent user will think this is just Google Docs asking for additional permission. Ordinary users don’t really pay attention to what permissions a trusted app asks for. In a way, this is something like the fake VPN scam that pretended to be affiliated with Plex.
In this case, it’s not pretending to be affiliated. It’s pretending to be the trusted app.
Google Is On It
Jake posted this to Reddit where a Googler was quick to spot it, and then escalate it. Within hours, the problem was resolved. We’re hoping it’s resolved for good and not just this one case scenario because there could be other scams waiting to strike.
The scam was possible because Google doesn’t stop users from naming apps Google Docs, even though it’s a proprietary name. Let’s hope they’ve put a stop to it now, or will in the very immediate future. Stay diligent.
Update: The official Google Docs account on Twitter has released a series of statements confirming the scam and its resolution.
— Google Docs (@googledocs) May 3, 2017
What To Do If You’re Effected
Of course, you might already be effected. In this case, Reddit Superhero and all around good guy JakeSteam has a few tips for you.
- Visit this page and revoke access to apps called ‘Google Docs’. The real Google Docs doesn’t need any extra permissions to work.
- Check if you’re account has been sending out any spam and get in touch with anyone who has received spam from you. Tell them what’s going on.
- If you know the person who sent the Google Docs invite, get in touch with them and tell them their account is compromised.
- Finally, if you’re a Google Business accounts admin, make sure none of the accounts have given permission to or have access to an app called ‘Google Docs’.