Overview
A sophisticated phishing attack targeted Google Docs users, leveraging a fake third-party app named "Google Docs" to gain access to users' email and contacts. Google responded quickly, disabled the attack, and advised users on protective actions.
Attack Description and Method
- Phishing emails appeared to come from known contacts, inviting users to edit a Google Doc.
- The invitation led to a legitimate Google sign-in, then requested access through a fraudulent "Google Docs" app.
- Granting access gave attackers permission to users' emails and contact lists.
- The attack exploited Google's own system for app permissions, making detection difficult.
Scope and Impact
- The phishing scheme spread quickly and affected multiple journalists and outlets, including The Verge.
- Clicking the phishing link could result in further spam being sent from the compromised user's account.
Mitigation and Google's Response
- Google took action by disabling offending accounts and removing fake app pages.
- Updates were pushed through Safe Browsing, and further steps were taken to prevent similar spoofing.
- Google encouraged users to report phishing emails through Gmail.
User Steps and Recommendations
- Users who clicked the link were advised to revoke app access via the Google "Connected Apps and Sites" page, where the malicious app would display as "Google Docs."
- Users were warned not to trust unexpected Google Docs invitations and to avoid clicking suspicious links.
Timeline of Official Updates
- 4:00 PM ET, 5/3: Reports indicated Google had disabled the malicious application.
- 4:25 PM ET, 5/3: Google officially warned users not to click suspicious links during ongoing investigation.
- 5:17 PM ET, 5/3: Google confirmed the issue was resolved.
Recommendations / Advice
- Revoke access for suspicious apps via Google's security settings if you suspect compromise.
- Always verify app developer information before granting permissions.
- Report any phishing attempts to Google through Gmail.