A new phishing attack has appeared in inboxes around the world that masquerades as an email contact sharing a Google Doc.
The emails appear to originate from a legitimate account, with the email addressed to firstname.lastname@example.org and dozens of contact email addresses blind carbon copied (bcc) in.
Upon clicking the “Open in Docs” button on the standard Gmail pop-up, users are invited to click on the link to open the document, which also redirects them to a legitimate Google sign-in page.
Users are then prompted to select one of their Google accounts using Google’s normal sign-in system and asked to authorise an app called “Google Docs” to manage emails.
However, the app called “Google Docs,” which requests permission to read, send, and delete emails, is not a real Google app.
Clicking the link authorises the attack, and a user’s account will then be hijacked and used as an infection vector, repeating the same behaviour to every contact a user has ever emailed.
It also bypasses 2 factor authentication, as well as login alerts.
Users that have clicked “allow” have fallen victim to the campaign.
If the scam has made its way into a user’s Gmail account, it can be deleted by removing the false “Google Docs” app via Google’s Security Checkup page. The search engine giant has asked customers to remove any apps they do not recognise.
In a statement, Google said it has taken action to protect users against the email impersonating Google Docs and has also disabled offending accounts.
“We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again,” Google posted on Twitter.
“We encourage users to report phishing emails in Gmail.”
Source: SANS ISC SecNewsFeed @ May 3, 2017 at 07:00PM