A sophisticated Google Docs phishing scam just swept the Internet. Despite that Google has resolved the issue speedily, this scam is still worth our attention.
A phishing scam using the real Google login system
As detailed on Reddit, the target would first receive an email saying “(the sender) has shared a document on Google Docs with you” with an “Open in Docs” button.
Once hitting the button, you would enter a REAL Google account sign-in screen that asked you to “continue to Google Docs.”
After you chose an account to continue, you would see a page that shows “Google Docs would like to read, send and delete emails, as well as access to your contacts” to acquire your permission.
(Image source: The Verge)
Unless you happened to click “Google Docs” and found out the developer of this web app was a random Gmail account rather than an official email from Google teams, it was almost impossible not to grant permission at the moment.
(Image source: The Verge)
If you clicked “allow”, the attacker could get full access to your Gmail and send phishing Google Docs links to your contacts on your behalf. This trick made the fake emails more convincing and thus more people would fall victim to the scam.
Not just your Google account but all services linked to it were in danger
You may link your Google account to other online services just like what many people do. Once your Gmail account was hacked, the attacker could use it to send password reset requests and thus gained control over all of your connected accounts.
Additionally, since the attacker could access all mails in an affected account, they may also read messages in the mailbox and invade your privacy.
What to do if I have clicked the malicious link in the phishing mail?
Thankfully, after receiving the report, Google has resolved this issue within hours by removing the fake pages and pushing updates to Safe Browsing, Google’s malicious site monitoring service.
However, you may still wonder what you should do if you have clicked on the malicious link in such phishing scam. Here’s the suggestion:
– Remove the permission given to the malicious app from your account settings page right away.
– Then, inform those who have received phishing emails sent from your compromised account. Ask them not to click on the link to prevent further damages.
You should also learn that a genuine Google Docs invitation link doesn’t require permission to access your Google account.
This attack did not trick users in a traditional way which would take you to a fake Google page and steal your password; instead it leveraged the existing Google login system and asked for your permission to gain access to your account. To stay safe online, always be careful of those requirements asking you to grant permission for access.