A very (VERY) sophisticated attack using Google’s own services as a vector made an appearance earlier this week. A variant of the standard phishing scam, Google stopped the attack within 24 hours, but their solution is like playing whack-a-mole – they’ve stopped this particular attack but there’s the possibility that another similar attack could be initiated.

How the attack works

You receive an email (possibly from someone on your contact list), stating that they’ve shared a document with you in Google Docs. There’s a link that you click on to get access to the file. OK, most of you know to check the URL link to make sure it’s not bogus. Here’s the tricky part: The link isn’t bogus, it actually takes you to the LEGITIMATE Google sign-in or account selection page.

 

Once you sign in or choose the account to use is where the actual phishing attack is executed. You’re prompted to authorize an app called Google Docs to manage your email and contacts. The problem is that the actual Google Docs service doesn’t really work like an app and doesn’t ever ask for those permissions. This is a malicious, bogus “app” created by the hackers and given a completely trustworthy name. DAMN that’s clever, and insidious.

Oops, I clicked on the link and gave them access…D’oh!

As far as I can tell, they’re not directly capturing your google account credentials. What they ARE doing, is getting full access to your email and contacts. Most people use their gmail account as their account credential for all of their other sites and services. So that means they can log on to Facebook, Yahoo, Mint, whatever, and request a password reset…which will get emailed to your….gmail account. Whoops.

All is not lost, at least if you act quickly. First thing to do is to de-authorize the bogus “Google Docs”.

  1. Go to Google’s account management page at myaccount.google.com (I didn’t link the URL because, well, you really should type it in yourself).
  2. Once you log in, click on the column on the left, titled “Sign-In and Security”
  3. Once there, click on the “Connected apps & sites” link
  4. Finally, click on the “MANAGE APPS” link. It should pull up a list of all the apps and services that have some degree of access to your google account. Click the one named Google Docs and hit the blue REMOVE button. That’s it.

Other steps to take

While you’re in there, it’s a good idea to periodically review this list and remove anything that you don’t recognize or don’t use anymore. If you accidentally break anything, you can always re-authorize access. Your other services like Yahoo, Facebook, etc, all have similar pages and go through the same process.

As I mentioned before, your passwords are probably safe but it’s a good idea to change them from time to time and turn on 2 Factor Authentication (2FA) for any services that handle sensitive information.

And don’t forget. Google has stated that they’ve addressed this particular attack, but they haven’t stated that they’ve found a permanent solution for this type of attack. These hackers gamed the system rather than exploiting a technical vulnerability.

As with all of these attacks, the best thing to do is delete any emails with attachments or links if they come from someone you don’t know. If a known contact sends you a file you weren’t specifically expecting, contact them directly to make sure they actually sent it to you.