Latest Phishing Scam - DONT CLICK!

What's So Dastardly Clever About the Google Docs Phishing Scam

The latest phishing scam sweeping the web is better than most. Don't click!

Getty Oliver Nicolaas Ponder / EyeEm

By Eric Limer

If you get a request to access a Google Doc, don't click it. As you may have heard, there's a phishing scam going around, a con intended to steal your information and pass itself on to all your friends and contacts. Once you are aware of it, it's simple to avoid, but underneath the hood it looks to be a savage and clever bit of cybertheft.

In practice, the scam works like this: You get an email from a friend asking you to look at a Google Doc. When you click yes, Google Docs asks for permission to your account, including the permission to see and manage your email, as well as your contact lists. So far, you're fine, but the second you click that button, your account will send out messages to all of your contacts with a link similar to the one you got in an attempt to spread itself further. Then it disappears. It even deletes itself from your account, having squirreled away plenty of your data no doubt.

RELATED STORY
Think like a thief and secure every entry point into your home. From your front door to the doggy door, make sure everything is locked and shades are drawn. All outdoor gates should be secured, as access to a yard makes it easier for thieves to work undetected. Take window and sliding glass door security a step further by placing dowels in the tracks for extra security. Lock the interior door from the garage as another safe guard as garages can be easily compromised.
How Hackers Steal Your Account with No Password
That's bad enough, but what's really terrifying is the degree to which the scam is undetectable, as Redditor JakeSteam points out. Most phishing scams are possible to spot because, to some degree or another, they don't look right. Hackers sending fake Google emails or invites have to fake all kinds of elements only Google would be able to replicate. Often they're sent from shifty domains, like Gmaii.com (with the second i capital) instead of Gmail or Google. Sometimes they contain links out to URLs that are clearly not Google-owned or are effectively obscured by link shortening services like Bit.ly. This scam, it seems, suffers from none of these failings because it is done almost completely through Google's legitimate system.

This scam appears to use an actual legitimate third-party Google application that somehow got the name "Google Docs." Therefore, when it asks for permission to access your account, it's doing so on the up and up. Since it's using Google's actual framework, it doesn't have to fake anything, making it next-to-impossible to spot. It's not stealing your password through nefarious means or anything; it is legitimately asking for access to your account and even spelling out what that access is before you click. It's basically a worst case scenario for how hackers can get into your account without your password, simultaneously bypassing measures like two-factor authentication.

In practice, the only real way to spot the scam if you aren't already on guard is to click the hyperlink that says "Google Docs" on the screen that asks you to allow it access to your account. Doing this, JakeStream points out, reveals it is published by a strange, random Google account, not Google itself. Otherwise, since this is just a third-party app, it appears as a completely legitimate request because it is—the vulnerability being exploited is whichever one the maker used to "Google Docs" as a name. This is not a robber in black, kicking down your door. It's your mailman, knocking on your door and delivering a package that's actually addressed to you, but as soon as you open it, a thief pops out and steals your TV. The vulnerability isn't your lock, it's that the Post Office didn't catch a thief trying to mail himself.


The only place the scheme's seams seem to show, with data redacted.
Reddit/JakeSteam

The main flaw of the hack, if you can even call it a flaw, seems to be that it was perhaps a little trigger happy. With cover as impenetrable as this, the phishing attack might have been able to circulate for weeks or months without large scale detection, but the recent flood of messages seems to have given it away. Though who knows how long it may have been out there before the dam broke on Wednesday afternoon.

In the meantime, be careful. Don't give any applications permission to your account unless you've vetted them as best as you can. And don't click on any Google Doc requests you aren't expecting for a while.

Update: Google offered the following statement.

We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We've removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.