Large scale phishing attack leaves Gmail users open to hacking
Using Gmail and just received an email in which someone you know is sharing a Google Doc with you, do not open it.
There is currently a rather massive phishing attack making its way to Gmail users. It is quite east to fall for, to summarize a reddit post by JakeSteam, it works like this:
- In Gmail you receive an email saying a Google Doc has been shared with you, likely from someone in your contact list.
- When you click on the button, you are taken to a real Google account selection screen.
- Select the account you want to use, an what appears to be from Google and asks for several permissions to access your account. This is not really Google, but made to look like Google.
- It then self-replicates by sending itself to all your own contacts.
- The attack bypasses two-factor authentication and login alerts. Because you gave the imposter Google Docs full access to your email, it’s possible the attacker could extract any information stored in your messages. It could also be used to access your passwords for other services by sending password reset emails. Be sure to read the Reddit post for more.If you’ve been affected, revoke access to the fake “Google Docs.” Make sure to send a follow-up email to your contacts if you see spam emails in your send folder. Also be sure to let whoever sent you the email know that their account has been compromised.
Update : A Google spokesperson shared the following statemen:
We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1 percent of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.