Yep, I admit it. I fell for today’s Gmail phishing attack along with a lot of other people. A lot of other people. Every contact in my inbox that I’ve ever sent or received an email from was blasted. All 9,162 of them. My password manager was no help.
Let’s call this my apology.
So what exactly happened and how can you protect yourself from future threats such as this one?
I received an email from my apartment complex sharing what appeared to be a Google Drive file, and since I was expecting a lease-renewal form, I clicked the link. I have since marked it as a phishing attack and can’t access the email, but this is how it appeared in another hacked inbox:
It then took me to a real Google account authentication page. Everything looked golden until this point, then the page timed out (check out this in-depth reddit post on how the email itself looked). Then came the onslaught of email replies from my contacts, Slack messages from coworkers and shoutouts (laughs) from desk neighbors on how I was hacked. Upon looking at the email itself, the only fishy (phishy) thing about it was the cc’d email from email@example.com.
But it wasn’t just me that was fooled by this hhhhhhhhhhhhhhhhellraiser (I will run this pun into the ground). Google Docs is now the highest trending topic on Twitter and Google Drive is going down sporadically.
So how do you avoid attacks such as this one in the future? One of the innocent bystanders of my email account’s outbound attack was incidentally TeamPassword CEO Brian Sierakowski, who gave me some insights into personal cyber security via email.
“Generally the rule of thumb is to check to see where a link is headed before you click it, if you hovered your mouse over that ‘open in docs’ link and the address was ‘www.hackers.com,’ you’d know not to click it. This is tough in mobile, but some extra steps can be taken to double check before you click through by copy and pasting the link before you navigate there.
However, this attack is extra sneaky. They’re using Google’s oauth to have you sign in to your google account before redirecting you to their website, which you can see in the link: ‘redirect_uri=https%3A%2F%2Fgoogledocs.g-docs.pro.’ This makes life difficult since when you look at the url, it’s ‘accounts.google.com,’ which would be reasonable for a google docs link. I’d say to get around this:
- Be super skeptical of any link on the internet
- Double check URL’s before you proceed
- Understand that any service can ask you to authenticate with your Google account—when it looks like Google is asking you for permissions, bail out!”
If you’re like me and fell for this scam, and you aren’t sure what to do next, Sierakowski has some advice.
“For anyone who’s been hit with this attack, they’ll need to go and revoke access to that oauth site in their settings [with these steps]:
- Click on your picture in the upper right and select ‘My Account’
- Under ‘Sign in and security,’ click on ‘Connected apps & sites’
- Select ‘Manage apps’ and remove that attackers site—the name might be something sneaky, perhaps you can find it and let people know
Also worth saying: Once you’re into that connected apps section, it’d be a good idea to clean up anything you’re not actively using. Good security hygiene!”
Thanks for the tips, Brian. I promise I’ll be a less-naive online connoisseur and more hhhhhhhhhhhhhhhhesitant to click links in the future.
It’s currently unknown how many Google accounts have been targeted and/or compromised, but Google is currently investigating the issue.
We are investigating a phishing email that appears as Google Docs. We encourage you to not click through & report as phishing within Gmail.
— Google Docs (@googledocs) May 3, 2017