In March of 2017, phishers targeted users of the popular online word processor Google Docs with a massive phishing attack. They spoofed the tech giant in email by pretending to be someone the users knew, falsely requesting to share a document with them. The link embedded in the email takes them to a real Google sign-in page. After inputting their data, users were asked to “continue to Google Docs”. However, instead of being redirected to the real Google Docs website, they were directed to a third-party app named “Google Docs”, created by the phishers.
By following the “continue to Google Docs” link, the victims unwittingly gave the phishers access to their email accounts and address books. The phishers used these new contacts to continue the cycle and sent a new round of fraudulent emails to the people in their contact list.
Due to the self-perpetuating nature of the attack, it spread quickly across the Internet. It garnered much media attention due to the convincing nature of the scam. Cybersecurity experts claimed it was ‘very easy’ to fall for and was ‘extremely eﬀective’ in achieving its goal. However, within hours of the scam being noticed, Google stopped the attack and fixed the associated errors in their service. A Google spokesperson issued a statement shortly afterwards, saying:
“We have taken action to protect users against an email impersonating Google Docs and have disabled oﬀending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”
This attack was particularly worrying to cybersecurity experts due to its eﬀectiveness. The phishers managed to craft the email such that it passed through Gmail’s inbuilt security software and infrastructure. The scammers also used sent the email from a real Gmail email address, further fooling Gmail’s security measures.
Experts noted that his scam worked in a very diﬀerent way to most traditional phishing schemes Most attacks work by phishers sending an email with an embedded link to a malicious website and hoping that the victim clicks on it. In this attack, instead of taking the user to a spoofed website, the phishers took advantage of the fact that you can create a non-Google app with a misleading name. Users would have to check the developer information to identify the app as a fake and thus prevent themselves from being scammed. However, very few users very savvy enough to do this, and therefore fell victim to this very sophisticated attack.
In response to the attack, Google updated its security features to prevent future attacks of a similar nature from occurring. There is some evidence that the company had been warned that an attack of this form could occur, but had not taken preventative measures.
Those who clicked the link have already had their address books compromised. However, once they realised they had been phished, they could revoke the app’s access to their account by changing their settings through Google’s “Connected Apps and Sites” page to prevent further information being stolen from their account.