Someone Hit the Internet with a Massive Google Doc Phishing Attack

PSA: don’t click on random Google Doc links.

|
May 3 2017, 7:21pm

Image: Maksimilian/Shutterstock

A massive phishing campaign targeting Google accounts ripped through the internet on Wednesday afternoon.

Several people online across a range of industries said they received emails containing what looked like a link to a Google Doc that appeared to come from someone they know. These, however, were malicious emails designed to hijack their accounts.

If you have clicked on the link, go to your Google account's page (https://myaccount.google.com/permissions) where you can manage the permissions you've granted to apps (or go through the whole Google Security Checkup). Then locate the "Google Doc" app. This looks totally legitimate, but it's actually not. If that's the malicious app that's gotten access to your account after you clicked on the link it should have a recent "Authorization Time." Now, click on that Google Docs app and click "Remove".

The malicious emails all appeared to look like this one below, and were addressed to "hhhhhhhhhhhhhhhh@mailinator.com" with recipients BCCed:

Several people within VICE have received similar emails. The emails come from someone whom you might know, or might be in your contacts. Judging from people commenting on Twitter, this appears to be happening all over the place.
So if you have received an email like this, don't click on the link, and tell your IT or digital security folks.

Read more: Would You Click on These Fake Gmail Alerts?

It's unclear exactly how the attack works at the moment, but it does appear to be highly sophisticated. A Reddit user has a good breakdown of what happens exactly when you click on the Google Doc button. In a few words, when you click on the link, the login screen takes you to a genuine Google domain, but that domain asks you to grant access to an app called Google Docs that is not the real Google Docs.

And the "Google Docs" app reads all your email and contacts, and then self-propagates by sending more emails.

We've also heard reports that Google Drive was down, and experienced the outage ourselves, but cannot yet confirm if that is related to the attack. (It'd be a hell of a coincidence, although Drive appears to be working again.)

About an hour after the first reports of phishing emails surfaced, Google appeared to begin preventing the emails from spreading. A colleague of mine forwarded me the phishing email to a throwaway Gmail account from several different addresses, and the email was not delivered.

Also, someone identifying as a Google employee said on a Reddit thread that the issue "is now resolved." And the original malicious, phishing link apparently isn't working anymore for some users.

"We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts," Google said in a statement sent to Motherboard. "We've removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail."

In a subsequent statement, Google said that the phishing campaign was halted "within approximately an hour" and that it "affected fewer than 0.1% of Gmail users." While that sounds low, considering that Gmail has around 1 billion users, that's still around one million victims.

This post has been updated.

Jason Koebler contributed reporting.

Subscribe to Science Solved It, Motherboard's new show about the greatest mysteries that were solved by science.