Widespread Google Docs Phishing Scam
Google Docs Attack
Phishing scams are on the rise worldwide in recent years. One antivirus company claims to have blocked 70 million phishing emails over a 3 month period. You’ve seen the news / entertainment (newsertainment?) programs with the blurred out nude photos of celebrities (remember Jennifer Lawrence, Kim Kardashian, Scarlett Johansson) who were “hacked” by now. Certainly you recall last year’s election and the fallout from John Podesta’s emails being leaked en masse. The claims of being “hacked” bring up images of a nerdy figure in a dark basement illuminated by only the glow of a computer monitor, furiously typing away on a keyboard while remotely hacking into someone’s computer.
But that’s not always the case. In fact, it is far less common that phishing scams. “What’s the difference between hacking and phishing?” you may ask. And I’m so glad you did. Hacking involves making a direct effort to compromise and penetrate a computer system. Something specific like a large e-commerce server or bank. This lets the hacker access, download and exploit all the data stored therein. Or – to take control of the aforementioned servers for eavesdropping / surveillance purposes. Either way, it is a direct, targeted attack on a single computer or system – for the most part.
Phishing, on the other hand, takes its name from the sport or pastime of actually fishing. Where you use bait to deceive and capture your quarry. In technological parlance, phishing is accomplished via email with either infected attachments or live links that lead to infected servers. Once triggered, the malicious code goes about its task to harvest your information, take control of your computer, steal your identity, encrypt your computer (ransomware) or turn your computer into a bot (in a botnet) to take part in an attack on a larger target.
If you’ve been reading my blog, you have seen numerous posts on recent phishing scams. Fake shipping notices, emails from your bank to reset your password, attachments you’re supposed to open that look too generic for anyone to actually click on, etc. The schemes become more sophisticated every day. But “Spearphishing” is what attacked the victims in the examples above. This is a targeted attack. Phishing is a scattergun approach and is designed to reach as many potential victims as possible. Historically, roughly 12% of people actually respond to phishing scams and click on the infected attachment or link. Therefore, sending out large numbers of emails yields more results – 12% of the total number of emails.
Spearphishng, however, is targeted to specific individuals or companies. It employs the same techniques, utilizing emails that look legit, but contain attachments or links that will give the “hacker” (really an attacker) administrator level control to the computer receiving the email. Once the attacker has gained access, they simply search for the information they are interested in (photos, emails, financial records) and transfer them to their own computer.
On Wednesday (yesterday – May 3, 2017) a widespread phishing scam targeted a specific group of people. Journalists. The attack came in through Google’s Gmail system and utilized Google Docs as the delivery mechanism. CNN, Buzzfeed and Motherboard all tweeted they had received the phishing email. Threat Intelligence firm Talos reports roughly 150 messages being sent every minute at its peak, before the attack was halted.
The attack was thwarted within an hour by Google’s security team, but not before over a million accounts were impacted. According to Google, contact information was accessed and used, but no other information was exposed. A million accounts sounds like a lot, but it’s only 0.1%, so in the overall scheme of things it’s a pretty minor impact.
Of course if it’s YOUR account, the impact may be not-so-minor. It’s kind of like the percentage of rain chances. Your local meteorologist may have predicted a 40% chance of rain. But if you’re out on your Harley in a downpour, the chance of rain in your little slice of paradise has just gone up to 100%.
Here’s what took place.
The attackers created a malicious app named “Google Docs” which looked very convincing and legitimate. Since it looked so authentic and seemed to come from a trustworthy source, around a million people clicked on it and had their accounts compromised. When opened, it gave the attacker total control over the victim’s Google account. At this point, the aforementioned miscreants could view and download whatever exists in the compromised account. That includes the entire email history, contact list, photos, Google Docs, etc.
Eva Galperin, director of the Electronic Frontier Foundation says that anyone who clicked on yesterday’s link should remove Google Docs from their Google App permissions. You can do this by following this link.
There is an interesting GQ article on this topic.
CNN Tech also wrote an article on this.
Once again, I recommend not clicking on any attachment before personally verifying it to be legit. You can send an email back to the person who sent it to you, asking if they meant to send that email, pick up the phone and ask them or send a text. I know. It’s a royal pain to go through all thin. But perhaps that’s the trade-off for not having your life / career sidelined for an indeterminate amount of time. A ransomware attack can be expensive and very destructive. Having sensitive personal information disseminated across the globe in minutes can also be hard on your career, relationships and psyche. So maybe… just maybe you want to pick up the phone next time you receive an email with a live link or attachment.