A new phishing attack is making the rounds through email, this time using a fake Google Docs app to trick you into granting permissions to your real Google account. The attack starts by sending you an invitation to view a document in what appears to be Google Docs. Clicking on the link takes you to a fake Google login screen, which logs you into a third party web app that’s been named “Google Docs.” Next, you are instructed to give permissions to the web app to access your email and contacts list. Once the malicious web app has access to your account, the attack spreads by sending more phishing emails from “you” to your contact list.
This phishing attack is more sophisticated than other phishing attacks because it is not just collecting your username and password for your Google account. Instead, it uses social engineering to collect accounts and to spread itself across a wide band of users. By using a false domain and an inaccurate web app name, both of which designed to mimic Google, the hackers were able to trick victims into granting permissions to their accounts because Google is a well-recognized Internet and technology company. Once the hackers gained access to the victim’s account, they used social engineering again to spread the attack by sending more phishing emails from the victim’s account to their contacts list. The hackers knew that the odds of a potential victim opening the document when it comes from a trusted sender are exponentially higher than if the email came from a total stranger.
Google issued the following statement in response to the attack:
“We have taken action to protect users against an email impersonating Google Docs & have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”
As of February 2016, Gmail logs more than 1 billion monthly active users. Even though the per capita attack rate is around only .001% of all Google accounts, this attack demonstrates that Internet users must become even more vigilant in protecting data as hackers develop and use phishing attacks increasing in sophistication. Not clicking on unsolicited or suspicious links in an email is the first step to protecting your accounts from compromise, but your information security strategy cannot stop there. Incorporating information and protection strategies into your company’s employee information security training program and periodically testing employee retention of those policies through internal phishing campaigns are two ways to prevent unauthorized access to your company’s data.
For help responding to a data breach, or for advice on avoiding phishing scams like this, please contact the author or a member of Polsinelli’s Privacy and Data Security team.