Don’t click that Google Docs link! Gmail hijack mail spreads like wildfire

If you get an email today sharing a Google Docs file with you, don’t click it – you may accidentally hand over your Gmail inbox and your contacts to a mystery attacker.

The phishing campaign really kicked off in a big way on Wednesday morning, US West Coast time. The malicious email contains what appears to be a link to a Google Doc file. This leads to a legit page asking you to authorize “Google Docs” to access to your Gmail account.

Except it’s not actually the official Google Docs requesting access: it’s a rogue web app with the same name that, if given the green light by unsuspecting marks, then ransacks contact lists and sends out more spam. It also gains control over the webmail account, including the ability to read victims’ messages and send new ones on their behalf.

Apparently no one at Google thought to block someone calling their app Google Docs.

If the permissions are granted, the software will immediately spam out the same message to all the people on your contacts list, bypassing two-factor authentication if you have that set up on your account. Here at Vulture West we’ve been getting bombarded with these emails, including some from journalists at other publications.

“There’s a very clever phishing scam going around at the moment – originally thought to be targeting journalists given the sheer number of them mentioning it on their Twitter feeds, it’s also been slinging its way across unrelated mailboxes – from orgs to schools / campuses,” explained Christopher Boyd, malware intelligence analyst at Malwarebytes, today.

“This doesn’t mean it didn’t begin with a popped journo mailbox and spread its way out from there, or that someone didn’t intentionally send it to a number of journalists of course – but either way, this one has gone viral and not in a ‘look at the cute cat pic’ fashion.”

The emails do have some distinguishing characteristics. They are all addressed to the same [email protected] address, with the victims BCC’d, and sent from the last person to accidentally authorize the malicious app.

If you have fallen prey to the attack, there are steps that can be taken to ameliorate the situation. Simply go into your Google account permissions page and remove all the access privileges for the evil Google Docs account.

Google hasn’t released an official statement, however its Project Zero wunderkind Tavis Ormandy has confirmed that the security team is on the case. Gmail has also said it is aware of the issue.

Read more…