The Google phishing attack: what we know and how it works

About an hour ago, I got an email saying that a PR person I didn’t know “has shared a document on Google Docs with you.” I clicked the link, but when it asked for my password, I grew suspicious and refused to log in. That was lucky, because it was a phishing email that has been rocketing around the web, tricking unsuspecting users into giving hackers control of their email accounts.

In a classic phishing attack, hackers create a fake site that looks like a real site and is at a URL that’s similar to the official URL — say, bankofamerica.login-now.info instead of bankofamerica.com. Unsuspecting users are then tricked into going to the site and entering their passwords believing they are on the real Bank of America site instead of an impostor.

The new attack works a bit differently. When you click the link, you go to Google’s real login page. The problem is that after you’ve entered your password there, you’re redirected to a malicious third-party site. (In my case, it would have been “googledocs.docscloud.info,” which is not a Google site.) This page asks you to grant it permission to access your email account.

If users don’t realize they’ve been redirected to a non-Google site, they inadvertently give hackers the ability to read their emails and send out emails on their behalf. Malicious software then accesses a user’s address book and sends out more phishing emails to all the victims, repeating the cycle.

The moral of the story is to be very careful, especially in the next couple of days, about any emails inviting you to view Google documents. It makes sense to double-check with the sender to make sure that a document is real before you click on any links. And under no circumstances should you approve requests to give a site extra permissions over your email: The real Google Doc doesn’t need to ask for these kinds of permissions.

Hopefully you read this article before you fell prey to the Google Docs phishing scam. But what should you do if you’re coming to this article after you’ve already clicked the link and granted permission to the malicious software?

It never hurts to change your password, but experts say that won’t help in this case. Rather, what you need to do is revoke the permissions you unknowingly gave the malicious app to your account. To do that, go to the Google app permission page and look for the app called “Google Docs” — it’s not the real Google Docs. Click on that app and then click “Remove.”

In the meantime, it’s possible that whoever is behind the attack downloaded your email for later use. It’s also likely that the attacker used your account to spam everyone in your inbox, sending out still more phishing emails inviting people to view a fake Google Doc. So spread the word among your friends and acquaintances to look out for these emails and don’t click on the links.