A widespread phishing scheme targeted people across the web on Wednesday.
A screen shot with the sender’s name and address redacted shows a version of a phishing email that spread across the Internet on May 3, 2017.
The sophisticated attack appeared to come from a trusted source asking you to open a Google Document. If you clicked, it took you to a page to open the “Google Docs” app with your Google account. This granted access to your email account and contacts.
Google said it stopped the attacks in one hour.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, says anyone who clicked on the link should check their Google App permissions and remove the one called “Google Docs.” You can do that by clicking this link.
It’s unclear how widespread the attack was, but reporters at publications including BuzzFeed, CNN and Motherboard tweeted that they’d receiving the phishing email, as had many of their sources. According to threat intelligence firm Talos, at its peak, around 150 messages were being sent per minute.
On Wednesday afternoon, “Google Docs” was a global trending topic on Twitter, meaning a lot of people were talking about the attacks.
@zeynep Just got this as well. Super sophisticated. pic.twitter.com/l6c1ljSFIX
— Zach Latta (@zachlatta) May 3, 2017
In a statement to CNNTech, a Google spokesperson said the attack affected fewer than 0.1% of Gmail users. (Gmail has over one billion monthly active users, and 0.1% of that total would be at least one million accounts.)
Google said contact information was accessed and used in the attack, but no other information was exposed.
“We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems,” the company said in a statement.
It’s not clear who was behind the phishing attempts. This attack spread quickly — the fake Google Docs app read users’ contacts and sent more phishing attempts to their contacts.
We are investigating a phishing email that appears as Google Docs. We encourage you to not click through, & report as phishing within Gmail.
— Gmail (@gmail) May 3, 2017
A phishing attack is a popular method of stealing credentials and hacking into people’s emails, bank accounts or other private accounts. A hacker poses as a trusted source and sends you a malicious link.
Experts say the phish was convincing and sophisticated.
Here’s what happened: Hackers created a malicious app and named it “Google Docs,” which looked trustworthy. Google uses an authorization system called OAuth, which uses security tokens instead of passwords to connect your Google account with third party apps. Because the malicious app looked legit, it essentially tricked users into trusting it with their security token — which is all that was needed to access the accounts.
This is a popular phishing method — security firm Trend Micro reported earlier this year that Russian hackers were using it.
“As we have seen repeatedly, these kinds of schemes are usually the precursor to larger nefarious activities, like money transfers, planting ransomware, etc.,” said Frances Zelazny, VP of cybersecurity startup BioCatch.
We've addressed the issue with a phishing email claiming to be Google Docs. If you think you were affected, visit https://t.co/O68nQjFhBL. pic.twitter.com/AtlX6oNZaf
— Google Docs (@googledocs) May 3, 2017