Google warns users of massive Google Docs phishing scam
Google says it has taken steps to protect users from the attacks
Users who granted access to the malicious app unknowingly also gave hackers access to their Google account data including emails, contacts and online documents. PHOTO: REUTERS
Alphabet warned its users to beware of emails from known contacts asking them to click on a link to Google Docs after a large number of people turned to social media to complain that their accounts had been hacked.
Google said on Wednesday that it had taken steps to protect users from the attacks by disabling offending accounts and removing malicious pages.
Google success in US schools forces Microsoft, Apple to scramble
The attack used a relatively novel approach to phishing, a hacking technique designed to trick users into giving away sensitive information, by gaining access to user accounts without needing to obtain their passwords. They did that by getting an already logged-in user to grant access to a malicious application posing as Google Docs.
"This is the future of phishing," said Aaron Higbee, chief technology officer at PhishMe Inc. "It gets attackers to their goal ... without having to go through the pain of putting malware on a device."
He said the hackers had also pointed some users to another site, since taken down, that sought to capture their passwords.
Google said its abuse team "is working to prevent this kind of spoofing from happening again."
Microsoft unveils Windows 10 S for its Surface laptops
Anybody who granted access to the malicious app unknowingly also gave hackers access to their Google account data including emails, contacts and online documents, according to security experts who reviewed the scheme.
"This is a very serious situation for anybody who is infected because the victims have their accounts controlled by a malicious party," said Justin Cappos, a cyber security professor at NYU Tandon School of Engineering.
Cappos said he received seven of those malicious emails in three hours on Wednesday afternoon, an indication that the hackers were using an automated system to perpetuate the attacks.
He said he did not know the objective, but noted that compromised accounts could be used to reset passwords for online banking accounts or provide access to sensitive financial and personal data.
Luckily some users have pointed out how you can tell if the Google Doc your friend shared is real or fake.
The fake Google notification doesn't have box border formatting and address at the bottom.
In addition to this users can expand the dropdown option in the menu bar next to the sender's name. Below is a real Google notification for a shared Google Doc.
Lastly, the spam email is also addressed to "hhhhhhhhhhhhhhhh@mailinator.com," which is an account with the disposable email service Mailinator.
Google said on Wednesday that it had taken steps to protect users from the attacks by disabling offending accounts and removing malicious pages.
Google success in US schools forces Microsoft, Apple to scramble
The attack used a relatively novel approach to phishing, a hacking technique designed to trick users into giving away sensitive information, by gaining access to user accounts without needing to obtain their passwords. They did that by getting an already logged-in user to grant access to a malicious application posing as Google Docs.
"This is the future of phishing," said Aaron Higbee, chief technology officer at PhishMe Inc. "It gets attackers to their goal ... without having to go through the pain of putting malware on a device."
He said the hackers had also pointed some users to another site, since taken down, that sought to capture their passwords.
Google said its abuse team "is working to prevent this kind of spoofing from happening again."
Microsoft unveils Windows 10 S for its Surface laptops
Anybody who granted access to the malicious app unknowingly also gave hackers access to their Google account data including emails, contacts and online documents, according to security experts who reviewed the scheme.
"This is a very serious situation for anybody who is infected because the victims have their accounts controlled by a malicious party," said Justin Cappos, a cyber security professor at NYU Tandon School of Engineering.
Cappos said he received seven of those malicious emails in three hours on Wednesday afternoon, an indication that the hackers were using an automated system to perpetuate the attacks.
He said he did not know the objective, but noted that compromised accounts could be used to reset passwords for online banking accounts or provide access to sensitive financial and personal data.
Luckily some users have pointed out how you can tell if the Google Doc your friend shared is real or fake.
The fake Google notification doesn't have box border formatting and address at the bottom.
In addition to this users can expand the dropdown option in the menu bar next to the sender's name. Below is a real Google notification for a shared Google Doc.
Lastly, the spam email is also addressed to "hhhhhhhhhhhhhhhh@mailinator.com," which is an account with the disposable email service Mailinator.