If you get an email today with the header that someone wants to share a Google document with you, don’t click it, otherwise you’ll be handing over your contacts to an unknown attacker.
The assault appears to have kicked off early on Wednesday morning. The Google Docs link looks legit because apparently no one at Google thought to block someone calling their app Google Docs. Once clicked, the user will be asked to grant permissions to Docs that it doesn’t usually request and has no need for – such as providing the ability to manage your account and to read or send Gmails on your behalf.
— Zach Latta (@zachlatta) May 3, 2017
If the permissions are granted, the software will immediately spam out the same message to all the people on your contacts list, bypassing two-factor authentication if you have that set up on your account. Here at Vulture West we’ve been getting bombarded with these emails, including some from journalists at other publications.
“There’s a very clever phishing scam going around at the moment – originally thought to be targeting journalists given the sheer number of them mentioning it on their Twitter feeds, it’s also been slinging its way across unrelated mailboxes – from orgs to schools / campuses,” said Christopher Boyd, malware intelligence analyst at Malwarebytes.
“This doesn’t mean it didn’t begin with a popped journo mailbox and spread its way out from there, or that someone didn’t intentionally send it to a number of journalists of course – but either way, this one has gone viral and not in a ‘look at the cute cat pic’ fashion.”
The emails do have some distinguishing characteristics. They use the same sender address – firstname.lastname@example.org – along with the email of the person who was foolish enough to click on the link.
If you have fallen prey to the attack, there are steps that can be taken to ameliorate the situation. Simply go into your Google account permissions page and remove all the access privileges for the Google Docs account.
Google hasn’t released an official statement, however its Project Zero wunderkind Tavis Ormandy has confirmed that the security team is on the case. Gmail has also said it is aware of the issue.
— Gmail (@gmail) May 3, 2017
It doesn’t appear at this point that there’s a malicious payload such as a keylogger or screenshot grabber installed, but it’s very early days yet. What is clear is that this attack is spreading like wildfire and the attackers are going to be harvesting email lists for future attacks, so let’s be careful out there. ®
Source: SANS ISC SecNewsFeed @ May 3, 2017 at 04:00PM