The Gmail logo is pictured on the top of a Gmail.com welcome page in New York Friday, April 1, 2005. Photographer: Daniel Acker/Bloomberg News.
A lot of people are getting some suspicious looking emails in their Gmail today.
The malicious messages are coming from trusted contacts, asking them to open a Google Doc. As soon as the recipient clicks through, they are asked to give away permissions to an app imitating Google Docs, namely the ability to read, send, delete and manage email, as well as manage contacts. For the user, once they’ve clicked through, nothing happens. But the attacker is effectively given access to people’s Gmail. It appears whoever created the worm used that access to contacts to spread the
It’s remarkably sophisticated and spreading like wildfire. Given how many complaints Google is receiving on Twitter, it’s likely a lot of people were affected. For now, it looks like Google has shut the attack down by revoking the app and killing the phishing pages the attacker set up.
— Zach Latta (@zachlatta) May 3, 2017
What to do
For anyone who remains concerned, there are steps they can take. First, it’s possible to note the phishing attempt by just looking at the message. It’ll typically say something like: “Mr. Attacker has invited you to view the following document.” And the recipient will be in the BCC field. That’s the first clue something phishy is going on, added to the fact that the only other visible email address in the to field is hhhhhhhhhhhhhhhh@mailinator[.]com, a temporary account on Mailinator.
Then, go to https://myaccount.google.com/permissions and revoke any permissions given to an app called Google Docs. This should prevent any problems, just in case Google hasn’t managed to get rid of the app already.
And in the future, if you’re not expecting a Google Doc and a link looks suspicious, don’t click through before validating with the sender that it’s legitimate.
There is, sadly, one big problem for victims who clicked through: the attacker could have automated their scam (likely, given how they carried out the illicit operation) and hoovered up all their Gmail already. In this case, there’s not much to be done other than hope nothing sensitive was stolen or that proactive measures are being taken against those who perpetrated the hack.
Researchers at Cisco’s security business Talos are now warning similar attacks could hit users of other massively popular web services. “Like all other creative, novel approaches it will likely be heavily copied almost immediately. Google is just one example, but there are likely other services that are used to as alternative authentication mechanisms. Two likely candidates are Facebook and LinkedIn,” they wrote in a blog post. “It’s highly likely that similar attacks leveraging those types of credentials could follow in addition to a continued Google attack vector. “
Possible Russian hack?
As the graph below from Cisco’s Talos security division shows, the attack blew up over a short period Wednesday, starting around 2.30pm ET, spiking at 3.15pm, and slowing to almost zero about an hour later.
Cisco Talos customers reported a significant spike in the Google Docs Gmail scam in mid-afternoon.
Some are suggesting that given the similarities between this fresh phishing scam and the past activity of the DNC hackers, known as APT28, the Google phishers could be the allegedly Kremlin-backed crew.
But to Jaime Blasco, chief scientist at security company AlienVault, that’s unlikely: “I don’t believe they are behind this though because this is way too widespread. Many people/organizations have received similar attempts so this is probably something massive and less targeted.”
Regardless of who’s behind this hit, it may be the biggest phishing scam we’ve seen for some time. Google says it’s taking further action to prevent similar attacks in the future, but for victims, it appears too late.
— Google Docs (@googledocs) May 3, 2017
UPDATE Google said 0.1 per cent of its users were affected by the attack. If previously reported figures of 1 billion users are correct, as many as 1 million will have seen their Gmail account data accessed.
The tech giant added: “We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed.” This may mean actual email content was not exposed, providing some succour to victims.