A very (VERY) sophisticated attack using Google’s own services as a vector made an appearance earlier this week. A variant of the standard phishing scam, Google stopped the attack within 24 hours, but their solution is like playing whack-a-mole – they’ve stopped this particular attack but there’s the possibility that another similar attack could be initiated.
How the attack works
You receive an email (possibly from someone on your contact list), stating that they’ve shared a document with you in Google Docs. There’s a link that you click on to get access to the file. OK, most of you know to check the URL link to make sure it’s not bogus. Here’s the tricky part: The link isn’t bogus, it actually takes you to the LEGITIMATE Google sign-in or account selection page.
Once you sign in or choose the account to use is where the actual phishing attack is executed. You’re prompted to authorize an app called Google Docs to manage your email and contacts. The problem is that the actual Google Docs service doesn’t really work like an app and doesn’t ever ask for those permissions. This is a malicious, bogus “app” created by the hackers and given a completely trustworthy name. DAMN that’s clever, and insidious.
Oops, I clicked on the link and gave them access…D’oh!
As far as I can tell, they’re not directly capturing your google account credentials. What they ARE doing, is getting full access to your email and contacts. Most people use their gmail account as their account credential for all of their other sites and services. So that means they can log on to Facebook, Yahoo, Mint, whatever, and request a password reset…which will get emailed to your….gmail account. Whoops.
All is not lost, at least if you act quickly. First thing to do is to de-authorize the bogus “Google Docs”.
- Go to Google’s account management page at myaccount.google.com (I didn’t link the URL because, well, you really should type it in yourself).
- Once you log in, click on the column on the left, titled “Sign-In and Security”
- Once there, click on the “Connected apps & sites” link
- Finally, click on the “MANAGE APPS” link. It should pull up a list of all the apps and services that have some degree of access to your google account. Click the one named Google Docs and hit the blue REMOVE button. That’s it.