A clever phishing scheme used Google’s own login page against users.
If you can’t trust an official Google login page then what can you trust? An innovative phishing scam briefly spread like wildfire this week before being snuffed out by Google – and it was using the company’s own security against unsuspecting users.
Here’s how it worked. It would start with you receiving an unsolicited email from a known contact. It looked like the standard “invitation to view a document” that regular Google Docs users will know very well.
But unlike traditional phishing attacks that try to coax personal details out of you with an official-looking imitation page, this cunning scam took you to a genuine Google login window. Once you signed in, you inadvertently gave access to a malicious third-party app (cunningly named “Google Docs”), allowing it access to your contacts and email, extending the scam go further. The only way to see its scammy nature was to highlight the Google Docs name and see the real email address hiding, as demonstrated in this tweet:
Google quickly became aware of the issue and took steps to close the loophole, writing in a statement on its Product Forums that: “We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We've removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”
Just because the known malicious apps have been closed, doesn’t mean another similar exploit account couldn’t open – so do be vigilant.
If you think you were taken in by the scam, head over to Google’s security page, and remove any connected apps that looks fishy or phishy.