Welcome to WebmasterWorld Guest from 22.214.171.124
Forum Moderators: open
joined:Nov 11, 2000
If someone invites you to edit a file in Google Docs today, don't open it -- it may be spam from a phishing scheme that's been spreading quickly this afternoon.
We are investigating a phishing email that appears as Google Docs. We encourage you to not click through, & report as phishing within Gmail.[twitter.com...]
1:15 PM - 3 May 2017
Google's known about the issue behind yesterday's wave of phishing attacks bearing links to Google Docs for at least five years.
Sharp-eyed and long-of-memory security types have reminded world+dog of this 2011 post to an IETF mailing list by developer André DeMarre, who way back then speculated that client name application spoofing could offer an interesting attack vector.
His post offered the following scenario to explain how such an attack could work:
Imagine someone registers a client application with an OAuth service, let's call it Foobar, and he names his client app "Google, Inc.". The Foobar authorization server will engage the user with "Google, Inc. is requesting permission to do the following." The resource owner might reason, "I see that I'm legitimately on the https://www.foobar.com site, and Foobar is telling me that Google wants permission. I trust Foobar and Google, so I'll click Allow.
And that's more or less what happened when the phishing campaign hit yesterday.
[edited by: engine at 7:55 am (utc) on May 5, 2017]
[edit reason] fair use [/edit]