Google Docs and Phishing

In March of 2017, users of the popular online word processor Google Docs were the target of a large online phishing attack. An email was sent to users impersonating a Google Docs sharing email spread across the internet. The phishers sent emails to users pretending to be somebody they knew, and requested to share a document with them. The link embedded in the email takes them to a real Google sign-in page, and after inputing their data, users were asked to “continue to Google Docs”. However, instead of being redirected to the real Google Docs website, they were directed to a third-party app named “Google Docs”, created by the phishers.

By following the “continue to Google Docs” link, the victims unwittingly granted permission to the phishers to access their email accounts and address books. This continued the cycle, and a new fraudulent email was sent to the people in their contact list.

The attack quickly spread throughout the internet, and gained much media attention. Several experts stated that it was very easy to fall for, and was extremely effective in achieving its goal. However, within hours of the scam being noticed, the attack was stopped by Google and the errors fixed. A Google spokesperson issued a statement shortly afterwards, saying:

“We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”

There are several reasons cited for why this attack was so effective. The phishers managed to craft the email such that it passed through Gmail’s inbuilt security software and infrastructure. The scammers also used sent the email from a real gmail email address, further fooling Gmail’s security measures.

Furthermore, this scam worked in a very different way to most normal phishing schemes. Most attacks work by sending an email with an embedded link to a malicious website and hoping that the victim clicks on it. In this instance, instead of taking the user to a bogus website, the phishers took advantage of the fact that you can create a non-Google app with a misleading name. Only by checking the developer info could users identify the app as a fake and thus prevent themselves from being scammed. However, very few users very savvy enough to do this, and therefore fell victim to this very sophisticated attack.

In response to the attack, Google updated its security features to prevent future attacks of a similar nature from occurring. There is some evidence that the company had been warned that an attack of this form could occur, but had not taken preventative measures.

Those who clicked the link have already had their address books accessed and emails had been sent to their contacts. However, once they realised they had been phished, they could revoke the app’s access to their account by changing their settings through Google’s “Connected Apps and Sites” page to prevent further information being stolen from their account.