The scam appears to have affected but a few users yet was surprisingly sophisticated
Google has rushed to shutdown a phishing scam aimed at users of its Docs cloud-based service, which looked to gain access to a users contacts and email.
The search giant noted that the phishing attack takes the form of an email inviting recipients to edit a Google Docs shared document.
If users were to click on the ‘open in Docs’ prompt they were taken to a legitimate Google sign in page the asked to “continue to Docs”, which sneakily granted permissions to a third-party web app named also named Google Docs.
Phishing in Docs
Once this has been done, the app gave hackers access to a users Gmail and its address book, potentially allowing cyber criminals and hackers to spread other malware and push spam and scams further afield.
Google claims to have squashed the attack within “approximately one hour” of its detection, and has removed fake pages and applications, noting that less than 0.1 percent of Gmail users were affected by the scam.
We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts,” said Google. “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”
Google is investigating the source and make-up of the phishing scam, which was a rather sophisticated attack as instead of using a bogus Google login page it manages to work within Google’s login system while exploiting a deceptive third-party app.
While Google has blocked the attack, users of Docs and other Google productivity apps can revoke permissions to the third-party app through the settings on their account.
This year so far appears to be a good one for phishing attacks, with app and online services from the likes of McDonald’s falling victim to scammers. Annoyingly and depressingly, it look like phishing scams are not going to go away anytime soon, particularly when they can yield successful results for cyber criminals.
Quiz: Cyber security in 2017