Google busts email phishing scam

04 May 2017

Google said it had busted an email spam campaign that impersonated its online file service, Google Docs.

According to online reports, the attack was a phishing scam potentially aimed at stealing personal information and possibly even Google login credentials.

In a statement late yesterday, however,  Google said that even as the campaign accessed and used contact information, no other data was apparently exposed.

According to online reports, a detailed user thread on Reddit – users clicking on an emailed share link, that  apparently had been sent from a known source, were taken to a site that asked permission for a fake app calling itself "Google Docs" to access their accounts.

On agreement, the app would send additional copies of the original email to the users' contacts.

Users would not be required to take any action, however, since Google has encouraged those wanting to ensure greater safety to run its security check feature.

Google yesterday said it had disabled offending accounts and removed malicious pages, in a bid to protect from attacks.

''This is the future of phishing,'' said Aaron Higbee, chief technology officer at PhishMe Inc, Reuters reported. ''It gets attackers to their goal ... without having to go through the pain of putting malware on a device.''

He added that hackers had also pointed some users to another site, since taken down, that sought to capture their passwords.

Google said its abuse team ''is working to prevent this kind of spoofing from happening again.''

Security experts who reviewed the scheme said anybody who granted access to the malicious app unknowingly also gave hackers access to their Google account data including emails, contacts and online documents.

''This is a very serious situation for anybody who is infected because the victims have their accounts controlled by a malicious party,'' said Justin Cappos, a cyber security professor at NYU Tandon School of Engineering.