Welcome to WebmasterWorld Guest from 54.198.118.102

Forum Moderators: open

Featured Home Page Discussion

Google Docs Phishing scheme rapidly spreading today

Phishing emails coming as Google Docs

     
9:38 pm on May 3, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2000
posts:11831
votes: 284


If someone invites you to edit a file in Google Docs today, don't open it -- it may be spam from a phishing scheme that's been spreading quickly this afternoon.

Google Docs users hit with sophisticated phishing attack
May 3, 2017
[theverge.com...]

The messages often appear to be coming from people you may know....

Twitter update from Google @gmail at about 4:15 eastern time today...
We are investigating a phishing email that appears as Google Docs. We encourage you to not click through, & report as phishing within Gmail.
1:15 PM - 3 May 2017
[twitter.com...]

9:58 pm on May 3, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:7507
votes: 505


Sooner or later, the fun will begin.... the scamps out there are always looking for another rube.
10:33 am on May 4, 2017 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:24156
votes: 522


Phishing is getting more sophishticated [sic] and i've seen quite a few recently. The personalisation coming through is making it much easier for people to fall victim, and it's getting to the stage where people will have to ignore these emails and documents entirely and fall back to actually speaking to the person it's supposed to have come from.
10:37 am on May 4, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8341
votes: 339


The Phishing may be recent, however Google Docs has been exploited for quite some time. I've found it necessary to block the User Agent from access to servers across all sites.

I also block downloading Google Docs to all devices.
10:41 am on May 4, 2017 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:24156
votes: 522


From reports, Google has said it has solved the problem by blocking the exploit and banning accounts used to send the missives.
10:52 am on May 4, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2000
posts:11831
votes: 284


Not clear if this fix is for new messages only, or whether the problem has been fixed for the early messages that went out as well.
11:26 pm on May 4, 2017 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8471
votes: 222


The thing is, that just stops one person. This is a worrisome exploit. Google and Facebook and many so-called security experts suggest using Single Sign-On (SSO). I have never seen how that can possibly improve people's security, but whatever. In addition they have trained them to click to let Google have access or whatever.

So I don't see how Google can block the exploit, just this particular instance of the exploit. I think the exploit itself is in their very architecture.
2:21 am on May 5, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:7507
votes: 505


Google's known about the issue behind yesterday's wave of phishing attacks bearing links to Google Docs for at least five years.

Sharp-eyed and long-of-memory security types have reminded world+dog of this 2011 post to an IETF mailing list by developer André DeMarre, who way back then speculated that client name application spoofing could offer an interesting attack vector.

His post offered the following scenario to explain how such an attack could work:

Imagine someone registers a client application with an OAuth service, let's call it Foobar, and he names his client app "Google, Inc.". The Foobar authorization server will engage the user with "Google, Inc. is requesting permission to do the following." The resource owner might reason, "I see that I'm legitimately on the https://www.foobar.com site, and Foobar is telling me that Google wants permission. I trust Foobar and Google, so I'll click Allow.

And that's more or less what happened when the phishing campaign hit yesterday.

[theregister.co.uk...]
It does beg a question why g did not address this during the last six years?

[edited by: engine at 7:55 am (utc) on May 5, 2017]
[edit reason] fair use [/edit]

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members