Last week, reports started surfacing about an unusual phishing attack that was spreading via Google docs. It was unusual in that it was spreading via a previously undiscovered weakness in Google’s typically tight security, as well as not seeming to have the expected signatures of a traditional phishing attack, eg. stealing your logins and passwords. In this particular case, the malware’s primary objective seems to have been to spread by stealing and using your Google contacts to propagate. It was also deceptively benign looking, as it used Google’s own authentication interface and a fake app named “Google Docs” to trick victims into allowing the privileged access.
What this means for you:
According to Google, less than 0.1% of its user base was affected by this scam, but when you do the math, that may equal as many as one million Gmail users. This particular attack spread quickly, primarily because it came from a known contact, and utilized a legitimate authentication process to grant access to a fake app. Thankfully, Google was able to close up the vulnerability within an hour of discovery, preventing what might have been a much larger calamity.
Coincidentally, a similar phishing attack actually hit one of our clients that same week. This attack, while not nearly as clever as the above, still used authentic-looking text and images to trick my client into giving up a password. It was convincing enough that it didn’t occur to him that it was an actual scam until he contacted the sender a few days later and found out, to his chagrin, that it wasn’t a legitimate request.
Simplifying the exchange of information is actually one of the greatest benefits that the internet has wrought, but as can been seen, the process has become so commonplace and taken for granted, that when trusted systems are undermined, humans are easily fooled. Unfortunately, the only way to combat this weakness is for us to be ever vigilant and distrustful, which is doubly hard when we see a known contact’s name at the bottom of a fake invitation. The hackers only have to get us to let down our guard once and they will be on us like piranha. Always stop and think before granting access to anything, especially if its the keys to your email kingdom.