Google Docs Phishing scheme rapidly spreading today

Forum Moderators: open

Message Too Old, No Replies

Google Docs Phishing scheme rapidly spreading today

Phishing emails coming as Google Docs

Robert Charlton

9:38 pm on May 3, 2017 (gmt 0)

If someone invites you to edit a file in Google Docs today, don't open it -- it may be spam from a phishing scheme that's been spreading quickly this afternoon.

Google Docs users hit with sophisticated phishing attack
May 3, 2017
[theverge.com...]

The messages often appear to be coming from people you may know....

Twitter update from Google @gmail at about 4:15 eastern time today...

We are investigating a phishing email that appears as Google Docs. We encourage you to not click through, & report as phishing within Gmail.
1:15 PM - 3 May 2017

[twitter.com...]

tangor

9:58 pm on May 3, 2017 (gmt 0)

Sooner or later, the fun will begin.... the scamps out there are always looking for another rube.

engine

10:33 am on May 4, 2017 (gmt 0)

Phishing is getting more sophishticated [sic] and i've seen quite a few recently. The personalisation coming through is making it much easier for people to fall victim, and it's getting to the stage where people will have to ignore these emails and documents entirely and fall back to actually speaking to the person it's supposed to have come from.

keyplyr

10:37 am on May 4, 2017 (gmt 0)

The Phishing may be recent, however Google Docs has been exploited for quite some time. I've found it necessary to block the User Agent from access to servers across all sites.

I also block downloading Google Docs to all devices.

engine

10:41 am on May 4, 2017 (gmt 0)

From reports, Google has said it has solved the problem by blocking the exploit and banning accounts used to send the missives.

Robert Charlton

10:52 am on May 4, 2017 (gmt 0)

Not clear if this fix is for new messages only, or whether the problem has been fixed for the early messages that went out as well.

ergophobe

11:26 pm on May 4, 2017 (gmt 0)

The thing is, that just stops one person. This is a worrisome exploit. Google and Facebook and many so-called security experts suggest using Single Sign-On (SSO). I have never seen how that can possibly improve people's security, but whatever. In addition they have trained them to click to let Google have access or whatever.

So I don't see how Google can block the exploit, just this particular instance of the exploit. I think the exploit itself is in their very architecture.

tangor

2:21 am on May 5, 2017 (gmt 0)

Google's known about the issue behind yesterday's wave of phishing attacks bearing links to Google Docs for at least five years.

Sharp-eyed and long-of-memory security types have reminded world+dog of this 2011 post to an IETF mailing list by developer Andr� DeMarre, who way back then speculated that client name application spoofing could offer an interesting attack vector.

His post offered the following scenario to explain how such an attack could work:

Imagine someone registers a client application with an OAuth service, let's call it Foobar, and he names his client app "Google, Inc.". The Foobar authorization server will engage the user with "Google, Inc. is requesting permission to do the following." The resource owner might reason, "I see that I'm legitimately on the https://www.foobar.com site, and Foobar is telling me that Google wants permission. I trust Foobar and Google, so I'll click Allow.

And that's more or less what happened when the phishing campaign hit yesterday.

[theregister.co.uk...]
It does beg a question why g did not address this during the last six years?

[edited by: engine at 7:55 am (utc) on May 5, 2017]
[edit reason] fair use [/edit]