Remember that $100 million whaling scam?
Victims were sent a sinister email disguised as a fraudulent invitation to edit a Google Doc that appears to come from one of their contacts.
The subject line reads “[Contact name] has shared a document on Google Docs with you”.
And the content of the email looks totally legitimate – as if it was an authentic Google Docs invite.
When the users clicked on the “Open in Docs” button in the email, they were then taken to a real Google-hosted page and asked to allow a seemingly real service, called “Google Docs”, to access their email account data. By allowing permission, victims allowed hackers to access to their email account, contacts and online documents. The malware then e-mailed everyone in the victim’s contacts list to spread itself even wider.
Why is it so worrying?
The quality of the email, and the way that the malware has been set up through a third party to steal data, means that this phishing attack is more sophisticated than any usual attempts. Also, the number of people affected is alarming – Google has reported that the spam campaign affected “fewer than 0.1%” of Gmail users”, but that still works out to over one million people attacked by the phishing attempt.
What has Google done about it?
Google has released a statement saying that they had stopped the attack “within approximately one hour…[by] removing fake pages and applications”. They went on to say “There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.”
What next? How do I ensure I’m protected?
User vigilance and education are the main defences against sophisticated phishing attacks such as these.
Firstly, don’t open a link to a document that you weren’t expecting to receive; and if in doubt, email the sender to check that they have sent you a link to an authentic document. Avoid opening any links in Google Doc for the time being; and forward this article to any of your contacts that you feel may have become a victim to the scam.
Secondly, make sure you have two-factor authentication on your Google accounts, which ensure that even if hackers do manage to find your password they can’t use it to access your accounts.
Our CEO, Tim Holman, confirms the need increased user vigilance in the face of phishing attempts, “Google’s role is to allow as many genuine emails as possible through their systems; and of course, block any malicious content that it knows about. However, the more convincing hackers make their emails, the more difficult it is for firms to distinguish the good from the bad. Ultimately it is down to the user to be vigilant and not be fooled by realistic email scams. Given the Internet has over 3.7 billion users, criminals are playing a numbers game. Even if only one in a million people open these malicious emails, criminals have succeeded with very little effort.”
Be vigilant. Even the most expensive security solutions in the world will not help you, it’s all down to the human brain. You could of course just turn off emails, which is the approach taken in highly secure environments, but that just goes to show how little faith the experts have in being able to secure email systems.