Phishing Scammers Try New Twist

John Lister's picture

An estimated one million people around the world received a recent phishing email, though it only posed a risk for around an hour before Google stepped in to stop the scam in its tracks. Victims of the scam may have inadvertently given attackers control of their email accounts.

The attack involved a bogus email claiming that a contact tried to share a document with the recipient using Google Docs. While only a small proportion of people use Google Docs, the attackers appear to have been playing the numbers game.

Attackers Accessed Emails and Contacts

Unlike most phishing scams, the attackers weren't trying to trick people into handing over personal information or to install malicious software. Instead, they took advantage of a system in which users of one service can grant another service access to their account data without handing over their password.

One example would be when users sign up to a business networking site, then grant it permission to access their email address book to see if anyone they know is already on the networking site.

In this case, the phishing email included a misleading button saying "Open in Docs" that, if clicked, brought up a Google-hosted website which asked the user to give "Google Docs" permission to "Read, send, delete and manage your email" and "Manage your contacts." While that is indeed what the permission did, the app in question was very much not operated by Google. Again, while some users would have known something was wrong, the scam outsmarted potentially thousands of victims.

Attack Blocked Within The Hour

While the attack meant users didn't give up their passwords or other login details (which remain secure and valid), the attackers appear to have had two goals in gaining this access. Firstly they were - for a short time at least - able to access both emails and online documents, giving them the chance to look for sensitive data. Secondly, they could use the victim's contact list to send out more emails, this time with the victim as the supposed sender. (Source:

Google says it uses a variety of methods to block the attack within an hour of it starting, including deleting the website with the bogus request, plus blocking all access from the rogue app. It also says it is updating its systems to detect and block rogue apps while still allowing access by genuine apps which need to use Google data with the user's permission. (Source:

What's Your Opinion?

Did you receive one of the emails in question? Do you think you would have spotted the scam? Is Google dealing with the problem well or should it block any third-party apps from accessing email and contact data, even with user permission?

Rate this article: 
Average: 5 (7 votes)


guitardogg's picture

I work for a school district in California. Several of our users received this. Google acted quickly on this one. In spite of that, I wrote a GAM script to delete it from all users' IN boxes.

LouisianaJoe's picture

I do not use google docs so I just deleted the email. I do not click on stuff like this. If I needed to check something on Google, I would log in from my browser and then check it. I would take the same approach for other emails referencing on line access.

Unrecognised's picture

Yes, block third party apps absolutely. The labyrinth of permissions is already way too complex. It's the responsibility and the right to control consciously of nobody but the user to manually log on and provide permissions ad hoc.