What To Do If You Were Caught By The Google Docs Phishing Attack

On May 3rd there was a massive phishing attack which attempted to gain control of Google user accounts with a fake Google Docs link. Google neutralized the attack within an hour of the first reports appearing on reddit. However, during that hour the attack spread like a worm. As each user account was compromised, all their contacts were spammed with the same message. This means that a lot of messages were sent before the attack was disabled, and many accounts may have been compromised.

Unlike most phishing attacks, this one did not require you to enter your password to compromise your account, and it would work even if you have two factor authentication enabled. The attack worked by setting up an application and then tricking you to giving that application the right to access your contacts list and gmail account. Why were so many people tricked into doing this? Because the application was named “Google Docs”. For a deeper technical description of the attack, see Bojan Zdrnja’s write up on‏ SANS ISC.

If you did receive one of these emails, clicked on the link, and then clicked the “Allow” button, you gave the fake “Google Docs” app full control over your email and contacts list. You did not give away your password, so the normal advice to change your password when you are phished does not apply (unless that password was in an email message). What you should do is remove the authorization from this app. Google may be doing this automatically, but in case they haven’t got to your account yet, here’s what you do.

While you are there, it would be a good idea to remove any other apps that you don’t recognize or haven’t used recently.

Once the app is no longer there, then the criminals responsible for the attack no longer have access to your email. However, it’s possible that they took a copy of your contacts list and mailbox while they did have access. Google will probably be providing more information on this in the next few days. Code alleged to be the fake Google Docs app has been published. So far as I can tell from a first look, contact lists were logged but mailbox contents were not exfiltrated. Amusingly, the hackers used Google Analytics for logging, so Google now has complete records of this attack, and the hackers are locked out of their Google Analytics account.

However, we don’t know if this was the complete code, or how much data they were able to exfiltrate before they were shut down, so if you were successfully phished you should assume that the criminals have a copy of your contacts list and mailbox until Google tells you otherwise. Be particularly suspicious of emails that appear to come from your friends. If you have ever sent or received a password by email: change that password now and next time use a voice call to transmit passwords.

I suspect that the success of this attack surprised the perpetrators. It grew and spread so quickly that it attracted attention right away. Cloudmark started flagging these emails as spam within a minute of them first appearing, and Google investigated and shut down the fake Google Docs app within an hour. If the attack had not used the worm approach to spreading but had been used for targeted spear phishing it might have lasted much longer. Hopefully Google will continue their rapid response by improving security on rogue apps before the next attack like this.

UPDATE 2017-04-04 11:25:00 PST: Google has confirmed that contact information was compromised, but email contents were not. See http://www.bbc.com/news/business-39798022


Leave a Reply

Your email address will not be published. Required fields are marked

Learn More About Cloudmark
Our Products
News and Events
Site Map  •  Privacy Policy  •  ©2002–2017 Cloudmark, Inc.