A widespread phishing scam involving Google Docs made its way across the internet today (May 3), with multiple Twitter users and at least two Reddit threads documenting spam messages coming from "email@example.com". Google appeared to have shut down the phishing campaign within about an hour.
The phishing email arrived in your inbox and said that someone you knew had shared a Google Doc with you. There was a button to "Open in Docs" — if you clicked it, you were redirected to a non-Google address, and everyone in your Google address book then got the same phishing email, only with you as the sender.
"I just got a Google Doc invite from a BuzzFeed email address, clicked on it, and it spammed everyone I've ever emailed," tweeted Joe Bernstein, a BuzzFeed technology reporter.
It's not yet clear what the aim of the phishing scam was. A posting on the official G Suite blog said that "the problem with Google Drive should be resolved."
If you received such an email and clicked on the"Open in Docs" button, go to https://myaccount.google.com/permissions and see if "Google Docs" is listed as one of the apps that has access to your Google account.
If so, that's the fake one — the real Google Docs shouldn't appear on this page. Select the fake Google Docs and click the blue "REMOVE" button. (We originally advised changing your Google password, but that doesn't seem to have been necessary.)
"This big phishing attack is clever; an OAUTH based attack. Tricks you into giving 'permission' to read your emails," tweeted Matt Tait, a British security expert.
0Auth is a widely used credentialing standard that keeps you logged into accounts for a long period of time, and can also be used across accounts. For example, when you log into Gmail on one Chrome tab, then open another tab to open Google Drive, a 0Auth "token" logs you into the second tab's content automatically.
Likewise, if you keep a browser logged into a Twitter account indefinitely, that's OAuth at work. Malicious hackers love stealing 0Auth tokens because they can be reused until the user completely logs out of an account on all devices.
Tait added that the ongoing attack was very similar to a spear-phishing campaign last year carried out by APT28, aka Pawn Storm or Fancy Bear, and documented by the Tokyo-based security firm Trend Micro (opens in new tab) in a recent report. APT28 is one of the two Russian groups that hacked into the Democratic National Committee's email servers during the 2016 U.S. presidential election campaign.
However, the source code for today's attack was quickly found on at least two code-sharing websites. The code's availability indicated that this email virus may have been the work of "script kiddies," or juvenile pranksters, rather than cybercriminals or nation-state-backed hackers.
Illustration: Laptop Mag