A sinister email is making the rounds in which the sender—someone you know, in some cases—invites you to click on a Google Docs link. People who click on the link can get pulled into a world of trouble so, first things first, do not click the link. Just delete the email.
The nasty new email, which appears aimed at journalists, began to surface on Wednesday. Several colleagues at Coins2Day sent me the emails they received. Here’s a screenshot of what it looks like in your Gmail inbox (I blacked out the sender names):
The email, of course, isn’t actually from who it says it’s from, but is instead a phishing email intended to trick you into clicking a link. What happens next? You don’t want to try and find out yourself, but a hacker named Zach Latta has helpfully posted a GIF to Twitter that shows what happens if you hit “Open in Docs.”
Just got this as well. Super sophisticated. Pic.twitter.com/l6c1ljSFIX
— zach latta (@zachlatta) May 3, 2017
As Latta’s demo shows, the whole thing is a ruse that will give the keys to your entire Gmail account to whoever is running the phishing campaign. As a certain President might say, “Bad!” If you want to imagine the worst case scenario, just recall Democratic National Committee head John Podesta, who had his entire email correspondence leaked after he fell for a similar Gmail phishing scam.
Coins2Day has contacted Google to ask about the nature of the scam, and who may be behind it. The company has now responded with this statement:
“We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.” (Late Thursday evening, Google sent a more detailed follow-up statement, which is pasted at the end of this story).
The counter-measures Google described are likely to stop the spread of the phishing attack but, as one security expert points out, the attacker has already had time to harvest millions of email addresses via victims’ Gmail contact lists.
It seems such scams targeting Google accounts are becoming more common in recent months. As my colleague Robert Hackett reported in January in the article Everyone is falling for this frighteningly effective Gmail scam, hackers (usually posing as a trusted contact) have been sending around booby-trapped documents that look like ordinary PDFs.
If all of this feels frightening, well, it sort of is. But there is a very good way to protect yourself. If you haven’t already, make sure you have two-factor authentication set up on your Google accounts.
Doing will help ensure that, even if hackers do trick you out of your password, they will likely be unable to use it. That’s because the two-factor system will ask for a second code (usually a code sent by text message) if Gmail detects someone is trying to log-on from a strange computer. You can sign-up for Google’s two-factor here.
Finally, if you did click on the nasty link, you can go to your Google account settings here, which will allow you to revoke access to apps—including the fake Google Docs one.
Here is Google’s follow-up statement:
“We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.”
This story was updated several times, including with Google’s response.