Student claims Google Docs blast was a test, not a phishing attempt

Last night, news and social media sites were ablaze with word of a new phishing campaign using fake Google Doc sharing emails to lure its prey.

Now, Coventry University student Eugene Pupov has come forward claiming he sent the emails to test a program created for a graduate final. It was in no way designed as a phishing attack, he said.

His angst over being accused of phishing is apparent in his Twitter stream:

Cries of phishing

At the time of writing, Pupov hadn’t returned messages seeking comment (if he responds, we’ll update this article). But if what he says is true, the whole affair has to be unnerving. This story was carried by news outlets large and small, with ominous headlines about phishing attacks disguised as Google Doc access emails.

Google itself confirmed it was investigating phishing attempts last night:

Users realize something isn’t right

Twitter was full of messages from people who received such messages. On the surface, it appears folks realized quickly that something wasn’t right with these links:

Google acted quickly, announcing steps users could take if they had indeed clicked on the link:

Is he for real?

It remains to be seen if Pupov’s claims are genuine. An email we sent to his Gmail account promptly bounced back, and we’re still waiting for him to respond to our questions via Twitter. One question we have: what was the exact purpose of his project?

Other security experts, meanwhile, have pointed out that Pupov’s claims have not yet been independently verified.

Phishing defensives

Though this case might be a false alarm, phishing attacks happen daily, and attacks using Google Docs have happened before. To that end, some tips are in order:

  • Be careful what you click. This one is painfully obvious, but users need a constant reminder.
  • Check the address bar for the correct URL. The address bar in your web browser uses a URL to find the website you are looking for. The web address usually starts with either HTTP or HTTPS, followed by the domain name. The real websites of banks and many others use a secure connection that encrypts web traffic, called SSL or HTTPS. If you are expecting a secure HTTPS website for your bank, for example, make sure you see a URL beginning with https://before entering your private information.
  • Look for the padlock for secure HTTPS websites. A secure HTTPS website has a padlock icon to the left of the web address.
  • Consider using two-factor authentication for more security. When you try to log into a website with two-factor authentication (2FA), there’s an extra layer of security to make sure it’s you signing into your account.
  • Keep an eye on Twitter: As the Google Doc phishing attempt demonstrates, Twitter is a great early-warning system. There’s little doubt that the tweeted warnings saved people from becoming victims.

Source: Naked Security – Sophos @ May 4, 2017 at 06:55AM