Google Docs has eaten away at Microsoft Office’s share of the productivity market over the past few years. Arguably better collaboration tools and a simple, cloud-based interface have made it a lot of people’s go-to word processor.
Sadly though, we keep getting shown that nothing on the internet is safe. Case in point: the Spring 2017 phishing attempt that spoofed Google Docs and abused Google’s OAuth system. How did the attackers compromise Google accounts? What data was lost? How would you know? Let’s take a look at what we know and how you can protect yourself.
Over the past few days a lot of people began receiving emails that invited them to view a Google Doc. The email was very similar visually to a real Google Docs request, as well as a legitimate sounding subject line of “[Your Contact] has shared a document on Google Docs with you” — however, it did have a tell: the recipient was email@example.com with your address only listed in the BCC field.
Not all email clients show the full email address by default and so many people had no reason to be suspicious and clicked on the request link. The link took you to a legitimate Google landing page for OAuth access. If you have multiple accounts signed in, it would ask you which account you wanted to use. Choose one, and you were presented with an authorization page with “Google Docs” asking for permission to access your account.
Just got this as well. Super sophisticated. pic.twitter.com/l6c1ljSFIX
— Zach Latta (@zachlatta) May 3, 2017
Although the Google Docs app used the Google Drive logo there was another sign that it was fake. Clicking on the app name reveals the developer details and rather than showing Google it was listed
firstname.lastname@example.org with a website of
Despite being able to spoof the Google Docs name, the real Docs does not require access to your account. Any such authorization attempts are fake and likely to be malicious. After being granted access to your account and contacts, the fake Google Docs app would proceed to send the phishing email to all of your contacts.
Since the attacker also requested access to “read, send, and manage” your email they may have also collected data from your emails. According to a statement from Google though, they believe only contact data was accessed.
While there was a lot of activity on social media of people reporting the phishing attempt, many were first alerted to the attack via a Reddit thread. It’s unclear if Google knew about the threat before, but it seems as though the first time it was addressed was when a Googler appeared in the thread and pushed it for escalation. The “Google Docs” developer was blocked from OAuth within half an hour of escalation which prevented the phishing attack.
According to a statement Google estimated that only 0.1 percent of Gmail users were affected by this attack. While that sounds small Gmail is estimated to have over a billion users, so this phishing attack may have affected over one million users. If the app was granted access to your Google account then it still has that access so you should head to your Google Account settings and remove any app named Google Docs.
we virtually all the domains killed within about 10 minutes of the first report on Twitter.
— Justin (@xxdesmus) May 3, 2017
The sites associated with the fake Google Docs app were mostly hosted on CloudFlare. Luckily the hosting company also acted quickly on this information, reportedly blocking all associated domains within ten minutes. However, any data harvested by the app may already be in the hands of the attacker.
To remove the fake Google Docs app from access your Google account head over to your Permissions settings now and click Remove. While you are there it may be worth checking over all other apps that have access to your account and remove any unused or suspicious ones.
Google has also recommended performing a Security Checkup if you think you may have been affected by the attack. Even if you haven’t been, performing regular checkups is a good idea all the same.
— Google Docs (@googledocs) May 3, 2017
Although there may be solutions that the tech companies can implement they often take a “whack-a-mole” approach and targeting each attack as it comes. There will always be people trying to convince you to divulge personal information — in the physical world they would be referred to as con men or scam artists.
The best defense you have is to know the signs of a phishing attempt. If either the recipient or sender email is an unusual, junk-sounding email address then you should proceed with caution. If you receive what you believe to be a phishing email then you should report it to Google.
The OAuth page was problematic as it was a legitimate site, asking you to authorize a malicious app’s access to your account. There may be steps Google and others could take to prevent malicious apps from using spoof names, but in the meantime you can check the developer info on any of Google’s OAuth pages by clicking on the app name which should reveal more about its motives.
In what seems like incredibly serendipitous timing, the Gmail Android app was updated the same day as the Google Docs attack. The update alerts users when they click on a link to a suspected phishing email. It still wouldn’t have mitigated the Docs attack as it directed you straight to a legitimate Google authorization page.
A Trend Micro report highlighted this kind of attack only a few weeks before the Google Docs iteration. In their case it was an app called Google Defender, but the attack method was almost identical and linked to a group called Pawn Storm. Although Google has taken steps to prevent the Google Docs attack, there may well be similar attacks in the future.
Reading up on the ways to spot a phishing email is a great place to start though. Although it didn’t prevent the Google Docs attack, Gmail can actually help you identify phishing emails too. Protecting yourself from the latest attack can seem like a never ending job but it is definitely worth the effort to fight the security fatigue.
Were you hit by the Google Docs phishing attack? Or did you get an email from someone who was? Would it stop you using Google Docs in the future? Let us know your thoughts in the comments below.
Image Credit: wk1003mike via Shutterstock.com