Don’t open that Google Docs attachment, it might be a scam

4 May 2017

Google Docs. Image: dennizn/Shutterstock

A widespread phishing attack has circulated online, luring victims in with a prompt to sign into Google Docs.

One of the more visually convincing phishing scams doing the rounds at the moment involves an attempt to use Google Docs as a hook, and internet laziness as a lure, to catch victims.

Hitting the US by storm, the email attack comes with the subject line stating that someone has “shared a document on Google Docs with you”.

What’s particularly tricky about this incident is that, when the victim clicks into the link, they’re actually brought to a legitimate Google sign-in screen.

Clicking through from there, though, is when the trap is fully executed, with victims giving up permissions that could see the attackers attain contacts, spreading the plague further.

Google was quick to respond to the scam, as more and more people reported it online.

“We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts,” said the company in a statement.

“We’ve removed the fake pages, pushed updates through Safe Browsing and our abuse team is working to prevent this kind of spoofing from happening again.”

Google said that it wants anyone hit by the attack, or anyone who sees it, to report it directly in Gmail.

Anyone who clicked on a fraudulent email is encouraged to visit Google Security Checkup and remove apps they don’t recognise.

There are several hints to let potential victims know it is a scam, as it differs from a standard Google email. Still, humans are not known for general awareness of risk online.

A remarkably well-timed report from cybersecurity company Glasswall this week indicated that the vast majority of office employees open all email attachments if they come from a known contact. This is despite attacks such as the above circulating for years.

The rise in ransomware will no doubt worry many companies.

Simon Taylor, VP of product at Glasswall, noted the growth in productivity suites such as Google Docs, and how they’re “the lifeblood of today’s internet users”.

“This includes consumers and employees of massive corporations and, often times, they’re one and the same.

“If reports are true, it only takes one or two clicks by a recipient to unknowingly open a weaponised link (in this case), or spreadsheet, slideshow or PDF, and trigger an attack in many other cases.

“Attackers are becoming increasingly cleaver [sic] with their tactics and organisations, and security tools must change the way they identify threats as new systems and methods are developed by nefarious actors.”

Updated, 10am, 4 May 2017: Google has released a statement on the incident.

“We realise people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation.

“We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1pc of Gmail users.

“We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems.

“We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed.

“There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.”

Google Docs. Image: dennizn/Shutterstock

Gordon Hunt was a journalist with Silicon Republic