A Google Docs scam began landing in users’ inboxes yesterday in what seemed to a sophisticated phishing or malware attack.

The deceptive invitation to edit a Google Doc – the popular app for sharing files – appeared to be spreading rapidly, with a subject line stating a contact ‘has shared a document on Google Docs with you.’ If users click the ‘Open in Docs’ button in the email, it takes them to a legitimate Google sign-in screen that asks to ‘continue in Google Docs’. Clicking on that link grants permission to a bogus third party app to possibly access contacts and email, which could allow the spam to spread to additional contacts.

Google has said it is aware of the issue and is investigating. They said that they had taken action to protect users against the email impersonating Google Docs, and have disabled offending accounts. A spokesperson said that they had removed the fake pages, pushed updates through Safe Browsing, and their abuse team was working to prevent this kind of spoofing from happening again.

Phishing scams typically involve emails, ads or websites that appear to be real and ask for personal information, such as usernames, passwords, social security numbers, bank account data or birthdays. Google said it does not send out emails asking for this type of information and encourages users not to click on any links and to report any suspicious messages.

Wednesday’s attack seemed to be more advanced than standard email phishing scams, because it doesn’t simply take users to a bogus Google page to collect a password, but is instead working within Google’s system with a third-party web app that has a deceptive name. If users have already granted permission through the phishing email, they can go to their settings and revoke the app.

Google said the scam had affected fewer than 0.1% of Gmail users – which works out to about one million people affected.

The Guardian (4th May 2018)