Google Docs App spam goes phishing

[Batu69]

There’s a very clever phishing scam going around at the moment – originally thought to be targeting journalists given the sheer number of them mentioning it on their Twitter feeds, it’s also been slinging its way across unrelated mailboxes – from orgs to schools/campuses. This doesn’t mean it didn’t begin with a popped journo mailbox and spread its way out from there or that someone didn’t intentionally send it to a number of journalists of course – but either way, this one has gone viral and not in a “look at the cute cat pic” fashion.

Here’s how it happens

The potential victim receives an email claiming to be from a Mailnator account, which they dispute is related to their service.

The email reads as follows:

Title: [Contact] has shared a document on Google Docs with you

Body: [Contact] has invited you to view the following document

 

Hitting the Google-styled “Open in Docs” button takes the clicker to a genuine Google sign-in page, which is sure to wrong-foot many people:

 

 

Where this all goes wrong is on the next page, which is where the victim actually gives the app permission to access the account via OAuth. Somehow, nobody at Google thought of preventing people from calling their apps “Google Docs”.

 

Google Docs would like to

Read, send, delete and manage your email

Manage your contacts

After “Allow” is hit, the spam is then sent on to contacts. While 2FA would normally save you from a phishing attempt, in this case, the victim is willingly giving permission to the app so 2FA won’t help – the only solution is to see which apps have been granted permission and revoke.

Here are some of the domains being used for this (all offline at the time of writing, but there may be others):

Phish domains:
g-cloud[.]pro
docscloud[].win
docscloud[.]download
docscloud[.]info
g-cloud[.]win
g-docs[.]pro
gdocs[.]download
gdocs[.]pro

— Andre M. DiMino (@sempersecurus) May 3, 2017

Google is aware of the situation and is currently working on it. Meanwhile, Cloudflare leapt into action very quickly. We’ll update the post with more information as it comes in.

 

Article source

 

Other source: Google shuts down massive Google Docs phishing scam

[Error0101]

 

A massive phishing campaign is spreading like wildfire

A new massive phishing campaign has been launched, targeting Google accounts. This time around, you should beware Google Docs links included in the emails you receive. 

 

Social media is full of people from all over the job spectrum complaining about emails they received containing what appears to be a link to a Google Docs from someone they know. Instead of that work report they may have expected, the malicious emails are designed to hijack accounts.

 

How to spot it

The malicious emails have loads of recipients in BCC and they may even come from people you know who have had their accounts compromised. People on social media are complaining about getting the links from their friends.

 

Once you tap that Google Docs button, the login screen takes you to a genuine Google domain. That domain, however, asks for you to grant access to an app called Google Docs that's not actually the real app we all know and use, which doesn't require any such permissions since it's already part of the Google universe.

 

Here’s what the permissions screen looks like, for example:

 

 

If you check the title for developer information, though, you’ll get something like this:

 

 

How to fix it

In case you've fallen victim to the same scheme, you should go to your Google account page. There, go visit the Permissions page, where you can manage what apps have access to your data. Find "Google Docs" and remove authorization. While it may seem legitimate, it's not and it can damage your account. If the malicious app got access to your account after clicking the link, there should be a recent authorization time, so you'll know which one to remove.

 

If you've received such an email, don't click the link. If you're at work, contact your IT department or whomever handles digital security.

Google seems to have already started blocking this particular campaign as such emails are no longer getting delivered, even you forward the infected email from one of your accounts to another. It doesn't mean that you may not end up with it in your inbox or that it's not there already. Therefore, pay attention and stay safe!

 

Update:

4:00PM ET, 5/3: We’re seeing reports that Google has disabledthe application, although we’re still not sure exactly how far it’s spread, or if the attack might continue through another application.

 

4:25PM ET, 5/3: Google has also said it is “investigating” the issue, warning users not to click on links in the meantime.

 

 

5:17PM ET, 5/3: Added official statement from Google confirming the issue has been resolved.

 

Article source

 

[Batu69]

Topic by @Error0101 moved from Security & Privacy Center forum & merged.

[Error0101]

Sorry, I did not see your before post @Batu69

[shamu726]

Quote

Somehow, nobody at Google thought of preventing people from calling their apps “Google Docs”.

 

[DKT27]

Funny, none of the articles seem to mention the original person which broke this news, atleast from what I know about it.

[Batu69]

17 minutes ago, DKT27 said:

Funny, none of the articles seem to mention the original person which broke this news, atleast from what I know about it.

 

Original person has mentioned on other news source bottom of my topic, news from CNET.

[nIGHT]

I was so nervous then I found out that I'm safe! Yeheey!