May 04, 2017 by The GLS Team
Google took an unprecedented step this week by publicly warning followers on Twitter and other channels about a sophisticated new phishing scheme targeting Google Doc users. Like all phishing scams, this one attempted to gather information and gain access to your accounts; unlike most phishing attempts, this one was polished and sophisticated.
Designed to look like an email from someone you know and trust, the latest scam asks you to click on a “Google Doc” link to access a file or document. Since the email was very convincing and seemed to be from someone you know – either a coworker, friend or family member – it was fooling quite a few users into taking the bait.
How the Google Docs Scam Works
The emails sent to victims were created using OAuth credentials from real Google accounts, so they looked exactly like you would expect an email from a friend or colleague to look. A look at the headers and the sending address wouldn’t reveal the attack; the messages legitimately came through the Gmail system.
Once you clicked “Open in Docs” you were presented with a real looking page asking you to tie your real Google account to a fake (but convincing) Google Docs page. Once you agreed, the fake app then requested to access your Google account.
Spreading Like the Common Cold
Once the fake app had control of the victim’s email address, it didn’t stop there. It began automatically creating new messages or versions of itself, sending the same convincing message to everyone in the victim’s contact list. Once sent, the messages would be deleted from the “sent” folder in the victim’s Gmail account, leaving no trace of the activity behind. This delivery method caused the phishing attack to spread through organizations and social groups in record time.
Key Takeaways from the Google Docs Attack
What can we learn from this recent attack?
Hackers are becoming more sophisticated – you can’t rely on poor spelling or even a quick look at the header to reveal the signs of a scam.
The right attack will spread quickly, too quickly even for a large, invested organization like Google to stop it before it impacts you.
Never click on a link in an email you did not specifically ask for or that you were not already expecting and don’t grant access to your Gmail account for any reason.
Access to your email account could be access to everything from your sensitive work files to your personal bank account, so this type of phishing attack can have a big impact on victims.
Protect yourself and your Business from Phishing
While the heads’ up from Google was helpful, you can’t rely on a big provider to let you know there’s a problem or threat every time one arises. Educating yourself and your staff about the ways a cybercriminal could try to infiltrate your business or identity can keep you from becoming a victim. If you are worried about the increasing sophistication of phishing scams and concerned about falling for one, we can help. Our anti-phishing training is designed to help you spot a phishing scam with ease and stop a would-be scammer in his tracks. Contact us to learn how easy it is to protect your assets and network from sophisticated criminals seeking to do you harm.Read More...