We got several reports (thanks to Seren Thompson, Tahir Khan and Harry Vann) about OAUTH phishing attacks against Google users. The phishing attack arrives, of course, as an e-mail where it appears that a user (potentially even one on your contact list, so it looks very legitimate) has shared a document.
An image of such an e-mail is shown below:
If you click on the link (Open in Docs), you will be redirected to the OAUTH2 service on accounts.google.com – the target URL will look like this:
In browser, this is what you get:
As you can see, it appears as Google Docs wants full access to my Gmail as well as my contacts. Of course, this is not real Google Docs – the attacker has simply named his “application” Google Docs – this can be verified by clicking on the Google Docs text where the real web site behind this and developer info is shown:
Obviously, once you allow access it is game over – the attacker probably uses the phishied Gmail account to further distribute phishing e-mails – we’ll see if we can get more details.
So far at least the following domains are included:
The domains are definitely malicious – the URL leads to jsserver.info where a fake alert that the computer is infected is shown.
Source: SANS Internet Storm Center, InfoCON: green @ May 3, 2017 at 02:39PM