Google customers have been targeted with a scam that gave hackers access to the contents of emails, contact lists and online documents of victims.
The scam asked users to click on a link to a Google Doc that appeared to come from someone they knew.
On opening the link, Google’s login and permissions page asked users to grant the fake Docs app the ability to “read, send, delete and manage your email”, as well as “manage your contacts”.
The sophisticated scam, unlike more common attacks, worked through Google’s system. Most phishing scams seek to glean personal information from victims such as usernames, passwords, addresses and financial details by leading them to fake versions of real websites from an email.
Google has now shut down the attack. “We have taken action to protect users against an email impersonating Google Docs and have disabled offending accounts,” the company said. “We’ve removed fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing happening again.”
But it is possible that users could still have unread versions of the scam emails in their inboxes or that it could return in a different form. Here are some tell-tale features that give the scam away, ways to avoid similar attacks and what to do if you fell victim to the attack.
How to avoid the scam
First of all, users should be suspicious if they have been sent a link to a document that they weren’t expecting to receive. If in doubt, they are advised to send a separate message to the person the link purports to have come from and ask them if they sent it.
The scam emails also contain a give away in the recipients section, which shows they have been sent to “firstname.lastname@example.org” with others BCC’d.
Another sign of the scam is the extensive permissions it asks for. Most applications, especially Google-run ones, will not ask for the ability to delete and send email addresses on a users’ behalf. Users should make sure they always read what is being requested before granting permission.
Google has asked customers who receive such an email to flag it to them by clicking the downward arrow in the top right hand corner of the message and selecting “Report Phishing”.
What to do if you opened the email
If you have already given the scammers access to your account, you can still revoke the privilege.
Go to the permissions section of “My Account” on a device you’re logged in to. Here you will be able to see all of the apps that have access to your Google account and what they can do.
The scam app will be in this list under the name “Google Docs” and will look legitimate. However, when you click on it it will have a recent authentication time and will say that it has permission to “manage your contacts” and “read, send, delete and manage your email”.
Google here gives users the option to “Remove” permissions. Click this, read the terms and select “OK”.
Victims are also advised to change the passwords to their online accounts to protect any information that may have been compromised.