A Massive Google Docs Phish Might Have Stolen A Load Of Gmail Accounts (Forbes)

The Gmail logo is pictured on the top of a Gmail.com welcome page in New York Friday, April 1, 2005. Photographer: Daniel Acker/Bloomberg News.

A lot of people are getting some suspicious looking emails in their Gmail today.

The malicious messages are coming from trusted contacts, asking them to open a Google Doc. As soon as the recipient clicks through, they are asked to give away permissions to an app imitating Google Docs, namely the ability to read, send, delete and manage email, as well as manage contacts. For the user, once they’ve clicked through, nothing happens. But the attacker is effectively given access to people’s Gmail. It appears whoever created the worm used that access to contacts to spread the

It’s remarkably sophisticated and spreading like wildfire. Given how many complaints Google is receiving on Twitter, it’s likely a lot of people were affected. For now, it looks like Google has shut the attack down by revoking the app and killing the phishing pages the attacker set up.

For anyone who remains concerned, there are steps they can take. First, it’s possible to note the phishing attempt by just looking at the message. It’ll typically say something like: “Mr. Attacker has invited you to view the following document.” And the recipient will be in the BCC field. That’s the first clue something phishy is going on.

Then, go to https://myaccount.google.com/permissions and revoke any permissions given to an app called Google Docs. This should prevent any problems, just in case Google hasn’t managed to get rid of the app already.

And in the future, if you’re not expecting a Google Doc and a link looks suspicious, don’t click through before validating with the sender that it’s legitimate.

There is, sadly, one big problem for victims who clicked through: the attacker could have automated their scam (likely, given how they carried out the illicit operation) and hoovered up all their Gmail already. In this case, there’s not much to be done other than hope nothing sensitive was stolen or that proactive measures are being taken against those who perpetrated the hack.

Possible Russian hack?

Some are suggesting that given the similarities between this fresh phishing scam and the past activity of the DNC hackers, known as APT28, the Google phishers could be the allegedly Kremlin-backed crew.

But to Jaime Blasco, chief scientist at security company AlienVault, that’s unlikely: “I don’t believe they are behind this though because this is way too widespread. Many people/organizations have received similar attempts so this is probably something massive and less targeted.”

Regardless of who’s behind this hit, it may be the biggest phishing scam we’ve seen for some time. Google says it’s taking further action to prevent similar attacks in the future, but for victims, it appears too late.

Got a tip? Email at TFox-Brewster@forbes.com or tbthomasbrewster@gmail.com for PGP mail. Get me on Signal on +447837496820 or use SecureDrop to tip anyone at Forbes.

Source: SANS ISC SecNewsFeed @ May 3, 2017 at 06:12PM