Google Docs has a sophisticated phishing attack

If someone invites you to edit a file in Google Docs today, don’t open it — it may be spam from a phishing scheme that’s been spreading quickly this afternoon. As detailed on Reddit, the attack sends targets an emailed invitation from someone they may know, takes them to a real Google sign-in screen, then asks them to “continue to Google Docs.” But this grants permissions to a (malicious) third-party web app that’s simply been named “Google Docs,” which gives phishers access to your email and address book.

The key difference between this and a very simple email phishing scheme is that this doesn’t just take you to a bogus Google page and collect your password — something you could detect by checking the page URL. It works within Google’s system, but takes advantage of the fact that you can create a non-Google web app with a misleading name. Here’s what the permissions screen looks like, for example:

If you check the title for developer information, though, you’ll get something like this:

If you’ve clicked the link, your account may have already sent spam messages to the people in your address book. But you can revoke future access through Google’s “Connected Apps and Sites” page; where it will appear as “Google Docs.”

Google Docs phishing access

We’re still not sure exactly how widespread the attack is, but journalists from several outlets — including The Verge — have received spam emails.

In a statement issued this afternoon, Google says it’s taken measures to stop the spread of the attack and resolve the problem at its core:

We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts,” the company said in a statement. “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.

Update 4:00PM ET, 5/3: We’re seeing reports that Google has disabled the application, although we’re still not sure exactly how far it’s spread, or if the attack might continue through another application.

Update 4:25PM ET, 5/3: Google has also said it is “investigating” the issue, warning users not to click on links in the meantime.

Update 5:17PM ET, 5/3: Added official statement from Google confirming the issue has been resolved.

Source: TheVerge