Phishing Scammers Try New Twist
An estimated one million people around the world received a recent phishing email, though it only posed a risk for around an hour before Google stepped in to stop the scam in its tracks. Victims of the scam may have inadvertently given attackers control of their email accounts.
The attack involved a bogus email claiming that a contact tried to share a document with the recipient using Google Docs. While only a small proportion of people use Google Docs, the attackers appear to have been playing the numbers game.
Attackers Accessed Emails and Contacts
Unlike most phishing scams, the attackers weren't trying to trick people into handing over personal information or to install malicious software. Instead, they took advantage of a system in which users of one service can grant another service access to their account data without handing over their password.
One example would be when users sign up to a business networking site, then grant it permission to access their email address book to see if anyone they know is already on the networking site.
In this case, the phishing email included a misleading button saying "Open in Docs" that, if clicked, brought up a Google-hosted website which asked the user to give "Google Docs" permission to "Read, send, delete and manage your email" and "Manage your contacts." While that is indeed what the permission did, the app in question was very much not operated by Google. Again, while some users would have known something was wrong, the scam outsmarted potentially thousands of victims.
Attack Blocked Within The Hour
While the attack meant users didn't give up their passwords or other login details (which remain secure and valid), the attackers appear to have had two goals in gaining this access. Firstly they were - for a short time at least - able to access both emails and online documents, giving them the chance to look for sensitive data. Secondly, they could use the victim's contact list to send out more emails, this time with the victim as the supposed sender. (Source: bbc.co.uk)
Google says it uses a variety of methods to block the attack within an hour of it starting, including deleting the website with the bogus request, plus blocking all access from the rogue app. It also says it is updating its systems to detect and block rogue apps while still allowing access by genuine apps which need to use Google data with the user's permission. (Source: blog.google)
What's Your Opinion?
Did you receive one of the emails in question? Do you think you would have spotted the scam? Is Google dealing with the problem well or should it block any third-party apps from accessing email and contact data, even with user permission?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
We got hit
I work for a school district in California. Several of our users received this. Google acted quickly on this one. In spite of that, I wrote a GAM script to delete it from all users' IN boxes.
I received the email
I do not use google docs so I just deleted the email. I do not click on stuff like this. If I needed to check something on Google, I would log in from my browser and then check it. I would take the same approach for other emails referencing on line access.
block
Yes, block third party apps absolutely. The labyrinth of permissions is already way too complex. It's the responsibility and the right to control consciously of nobody but the user to manually log on and provide permissions ad hoc.