A hacker has been raining on Google’s cloud, and security experts are warning users to be wary of Google docs received from friends and colleagues following a massive phishing attack on the internet giant.
The news follows just days after it was revealed that Google, along with Facebook, had been duped by a massive whaling attack.
Google released a statement on Twitter, saying it has “taken action to protect users against an email impersonating Google Docs & have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again”.
However, cyber-security experts were quick to point out that the fix is only for this particular iteration of the attack and that now the attack vector is known, other cyber-criminals may be rushing to create copycat attacks.
The attack begins with the victim receiving an email from a known contact containing a link to a Google doc. Clicking on the link opens a genuine Google doc which then opens a popup, from Google, requesting access to the victim’s email account. If they authorise it, the malware then rips through the victim’s contacts list and sends them all a copy of the original phishing email from the victim’s account.
The scam has been described by many cyber-security professionals as being almost undetectable.
According to Threatpost, the Kaspersky Lab security blog, when a victim clicks on the link in the phishing email to the Google doc, they are directed to Google’s OAuth2 service which is where they are prompted with a message: “Google Docs would like to: Read, send, delete, and manage your email; Manage your contacts.”
Threatpost said, “The attempt to steal OAuth tokens is a departure from traditional phishing attacks that target passwords primarily.”
Anyone who fell for the attack can revoke the permissions by accessing their account settings at myaccount.google.com.
This article originally appeared at scmagazineuk.com