Phishing attack hits Google docs and the hack is spreading like wildfire

Recipients who fell for scam gave attackers access to their Google email messages and contact list

An unusual computer attack that mimicked Google’s cloud-based document software spread across US news organizations and other institutions on Wednesday.

The attack involved malicious emails masquerading as a message from Google Docs, often sent from a known source. Recipients who clicked on the embedded link and then clicked yes on a follow-up link inadvertently gave the attackers access to their Google email messages and contact list, said Matt Tait, a cybersecurity expert based in the U.K. who researched the incident. That access was then used to send more malicious emails to addresses found in the victim’s contact list, Mr. Tait said

The attack leverages a well-known scam technique called phishing, in which attackers attempt to trick users into clicking on malicious web links by pretending to be something they are not. But the use of Google’s Web-app authentication system was unusual and appeared to catch off guard even many users who are wary of email scams.

The attack was particularly noteworthy because the perpetrators were able to automatically flood victims’ contacts with malicious messages using a system that seems safer, causing the phishing attacks to spread with unusual rapidity, said Liam O’Murchu, director of security technology and response at antivirus vendor Symantec Inc. “What’s new here is that they made it into a worm.”

Victims of the scam included journalists at CNN, the Washington Post, BuzzFeed, Vice Media and The Wall Street Journal. But it also hit a large number of nonmedia companies, said Gary Warner, chief threat scientist with PhishMe Inc., company that protects against email attacks.

The goal of the attack wasn’t entirely clear, but it may have been to harvest email addresses from victims to break into online accounts, Mr. Warner said.

The software used in the attack was a web-based application called “Google Docs,” that used the same name as Google’s software but was developed by a third party. The web application developer used the name Eugene Pupov, but that was likely a pseudonym, Mr. Tait said. An email sent to an address linked to the account went unanswered Wednesday.

Mr. Tait said either Google or individual users need to revoke the access of the fake Google Docs app to their information to prevent the attackers from having continued access.

A Google spokeswoman couldn’t immediately say whether the company was doing that. “We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts,” she said in an email message. The company had removed the fake pages used by the attackers and is “working to prevent this kind of spoofing from happening again,” she said.

Users can revoke access to Google applications themselves by clicking on the permissions page of their Google accounts.

 Source: The Wall Street Journal