Experts noted that the sophisticated nature of this phishing campaign is what made it so tough to detect. The scam managed to affect 1 million accounts before Google was able to address the threat.
WHAT SHOULD YOU DO?
If you were a victim of this phishing scam and think your account may have been affected, follow these tips to protect your account:
Revoke the attacker’s access in your Google Permissions settings. Only the malicious Google Docs app will appear in this section – deleting it will not impact your legitimate Google Doc services.
Change your password. This can prevent hackers from accessing your account again in the future.
Turn on two-step verification. Enabling this feature adds an extra layer of protection to your account by requiring more than one form of verification to access your account.
Run a Google Security Checkup. Google’s security feature will verify that your account is only accessible to you.
This fake Google Doc was different than other phishing emails because hackers used a legitimate Google permissions feature to gain access to accounts. Affected users received an email that invited them to view a fake Google Doc. If the link was clicked, victims were redirected to a real Google page requesting account access to the fake app.
Unlike traditional phishing tactics that focus on stealing passwords, hackers were given direct access to victims’ accounts without needing to first obtain user logins. Hackers took advantage of Google’s legitimate security mechanisms by using real Google pages, making the scam nearly impossible to detect.
The phishing ploy gave hackers full access to victims’ email accounts – including email history and contact lists. Hackers quickly triggered password reset requests on other sites, like online banking, social media and online shopping websites, that had accounts associated with the compromised Gmail addresses.
View the tweets below to see how this scam works:
— Zach Latta (@zachlatta) May 3, 2017
Phish Meets Worm
Another component of the Google Doc phishing email was that it appeared to come from someone in the victim’s contacts. However, a closer look reveals that while the sender name appeared to be a known contact, the email address read “hhhhhhhhhhhhhhhh@mailinator[.]com.”
The fake app was a malicious program known as a worm, which was programmed to replicate itself and continue the attack through a victim’s contact list. Once inside, the worm quickly sends fake Google Doc emails to the victim’s contact list – increasing the reach of the malicious email to more Gmail accounts.
Google resolves threat
Google stated that it had resolved the issue and that no other Gmail users were at risk. However, it’s an important reminder to double check that the sender name and associated email address match. Furthermore, never click on links or interact with suspicious emails — it’s best to delete them immediately.
Keep following Fighting Identity Crimes to stay up-to-date on the latest breach and scam news, as well as relevant tips from our industry experts to help continue protecting your identity.
The views and opinions expressed in this article are those of EZShield Inc. alone and do not necessarily reflect the opinions of any other person or entity, including specifically any person or entity affiliated with the distribution or display of this content.