On Wednesday, users reported there was a new phishing attack disguising itself as a Google Docs file circulating via Gmail. The company quickly issued updates and patched holes after finding out, but not before over 1 million users were affected.
The attack was stopped in a matter of hours, but now cyber security experts warn the way in which it was executed could lead to replicas using other popular platforms as cover. This time over, hackers did not trick users into giving away their passwords but relied on OAuth protocol exploitation instead.
Google issued a statement through the official Google Docs Twitter account, and then later responded to the inquiries of some outlets in more detail. A new malware targeting Mac users has also been spreading via phishing emails.
— Google Docs (@googledocs) May 3, 2017
How is the Google Docs phishing scam different from others?
Regular phishing attacks rely mostly on emails disguising themselves as legitimate messages from recognized services or entities. The Google Docs attack went further by not just passing itself as the real platform, but also attempting to collect sensitive information with a dedicated app.
The app was built specifically to exploit a vulnerability in the OAuth protocol in Google’s services. OAuth stands for Open Authentication, and it is the sort of system that pops up for users to agree to terms and services when installing a new app, for example.
In the case of the Google Docs scam, users received a message from someone on their contact list inviting them to collaborate on a new document. Clicking to open the invitation immediately compromised the account and sent copies of the same message to that person’s entire address book.
Furthermore, clicking on the permissions tab that popped up afterward granted hackers the ability to access accounts, bypassing passwords and two-step verification protocols.
How can I prevent falling for this sort of attack?
Google issued a statement to several tech outlets. Speaking to the BBC, the company said the attack affected less than 0.1% of Gmail users, which back in February amounted to more than 1 billion:
“THERE’S NO FURTHER ACTION USERS NEED TO TAKE REGARDING THIS EVENT; USERS WHO WANT TO REVIEW THIRD PARTY APPS CONNECTED TO THEIR ACCOUNT CAN VISIT GOOGLE SECURITY CHECKUP.”
The tech giant also said that only contact information was compromised during this campaign and that no other data was exposed according to their investigations.
As always, Google also reminded users to be wary of strange emails, links, and attachments they receive. The sophistication of this last attack might be replicated in the form of Facebook invites, LinkedIn requests, and similar messages from high-profile platforms, experts have warned.