Millions of Google accounts were compromised by an extremely sophisticated phishing scam yesterday. Google users, majorly those who regularly use Google Docs, were advised to be extremely vigilant.
The scam not only gathered user’s personal information, it also made use of the user’s contacts list to send phishing invites to everyone on the list. With just two clicks the hackers had access to users personal email history.
The phishing attack was simple yet powerful and easily succeeded in fooling people. All it did was email users from someone who had previously emailed them and were requested to share a document with you. Upon clicking the button users were redirected to a pretty convincing Google-hosted page. It then demanded the users to enter their password to grant “Google Docs” permission to read your emails and contacts list.
However, the “Google Docs” that asked for the permission was an app that used the actual Google Docs name. It’s still a question how or why a third-party app was able to get away with using the company’s licensed name, but figuring that out is probably on Google’s to-do list.
Hours later, through three tweets, Google announced it the situation was under control. The tweets read:
“Official Google Statement on Phishing Email: We have taken action to protect users against an email impersonating Google Docs and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”
While the company claims to have stopped this scam, it has yet to hint at any major crackdowns in the event of copycat attacks.
However, while Google figures out a plan, users are recommended to be proactive. To guarantee their safety, they should check Google’s account permission.