“The importance of this phish is not how it spread, but rather how it didn’t use malware or fake websites tricking users to give up their passwords,” says Aaron Higbee, chief technology officer at the phishing research and defense company PhishMe, which analyzed data from the fake Google Docs campaign. “This phish worked because it tricked the user into granting permissions to a third-party application. This is the future of phishing, and every security technology vendor is ill-equipped to deal with it.”
Similar Google Docs scams in particular have been circulating since at least 2014, but that doesn’t make them any easier to spot, in part because they seem so authentic. Phishers can use real Google accounts and develop third-party plugins that can interact with Google services, so they can lure victims in through the most perfect-looking Google web pages of all: Genuine ones. And variations on this approach hit over and over, much like waves in the ocean. Fishing? Phishing. You get it. Here’s how to stay vigilant this time, and going forward.
This round of Google docs phishing emails works like so: You get an email saying someone added you to a Google Doc; click this link to view it. That takes you to a legitimate account screen, listing all the Google accounts you’re logged into. From there, you choose the one you want to use to view the document (or log in, if you weren’t already authenticated in your browser). There, a malicious service called “Google Docs” awaits, asking for privileges to access your account, your contacts, your password rests, your emails, everything.
If you already clicked this type of link today (or any day), go to the Permissions page of your Google account as quickly as possible and, in this case, revoke access to the service called “Google Docs.” Again, it’s a fake. Then change your password and make sure you have two-factor authentication turned on, which you totally already did, right?
To help protect yourself even further in the future, Google offers a tool called Password Alert that warns you if you type your Google account credentials into any page that isn’t officially Google’s. If phishers have made a realistic-looking fake, Password Alert instantly suggests that you change your password and secure your account as soon as you’ve made the mistake. But this doesn’t necessarily protect you when scammers are manipulating genuine Google processes. And, of course, it doesn’t help you identify fake log-in pages related to other companies’ services.
Resisting the urge to click remains the best first line of defense out there. When you can spot inconsistencies or suspicious content in an email that may help tip you off—in this case, a “To:” field populated by “hhhhhhhhhhhhhhhh” should raise suspicions—and listening to those instincts is important. But in the case where a phishing email (or a spear phishing email tailored to you) is perfect enough to convince you, it takes a general habit of thinking before you click to give you a chance.
Downloading attachments or clicking links shouldn’t be automatic even when they seem to be from the people closest to you. Particularly if you’re not expecting a message, you should take a moment to examine any URLs it contains in a plaintext editor, or double-check with your friend through another means of communication that they really sent you a Word document of recipes. These quick checks can make a big difference. Sometimes a second look is all it takes to realize that your coworker probably wouldn’t send a Google Doc to your entire company out of the blue.
This post has been updated to include comment from PhishMe’s Aaron Higbee.