What Happened?
A particularity clever Google Docs Zero Day flaw was exposed via a widespread phishing scam yesterday. The email masks itself as a user trying to share a Google Doc with you when in reality it is really a fake Google Doc browser Add-On that, when Allowed, will give the hackers access to your contacts, emails and documents. They then use your hacked email account to send out more phishing emails and keep their system going. Your emails, contacts and documents may very well have been copied or duplicated to the hackers server while the add-on was enabled.
What made it so Nasty?
The nasty part about this scam is that it was not a virus, nor was it a fake Google website trying to trick you to give up your password. The flaw was in the fact that a fake program was able to present itself as Google (using Google’s own website) and then was able to take all of your information using a Browser add-on without EVEN NEEDING YOUR PASSWORD.
Who’s Fault is it?
Google. The hackers exploited a flaw in Google Docs that allows them to take control of your Gmail, Google Docs and other Google Products without even needing you to give up your login information. It’s a pretty scary flaw and indicates a fair amount of expertise.
How do I recognize it?
The attackers created Google-looking web app, cleverly named – Google Docs. They then sent out emails to Gmail users asking them to edit a document on Google Docs, which was sent by another hacked account. Those who clicked on the Google Docs phishing link, were redirected to a real Google sign-in screen and asked to “continue to Docs.” This, then fooled users to grant access and permissions to the malicious Google Docs web app which then took control of all your Google information.
What do I do if I fell for it?
If you were one who allowed access to the web app, you should change all your Google passwords immediately and warn people in your contacts list. Next, go to Google’s Connected Apps and Sites page and revoke permissions granted to the malicious app. Also be wary of what kind of content was in your docs and emails, if you had bank information or password for other sites, be sure to keep a close eye on those accounts and change the password. If you had important client information in your Docs or emails (SSN’s, CC, Bank Info, etc.) you should contact your lawyer to find out what kind of legal burdens are required of you.
What’s next?
Not much, Google has acknowledged the issue and says they have taken care of the flaw and the source accounts. This was a cleverly exploited Google Docs flaw that shows you how powerful and quick to spread phishing emails can be. In one day this thing hit possibly millions of people, always double check with IT people before allowing anything new or strange to access to your data/accounts.
