Google releases statement about Google Docs phishing attacks

Google has addressed a huge phishing attack that was spreading all over the place today. A “phishing” scam is a way of manipulating a victim into providing access to your accounts without their knowledge or by tricking them with a fake login page that looks like the real one.

Google says that it has disabled the accounts associated with the scam and will take necessary precautions to prevent a similar kind of attack. Developers will likely no longer be able to name things after other Google services word for word.

(1 of 3) Official Google Statement on Phishing Email: We have taken action to protect users against an email impersonating Google Docs...

— Google Docs (@googledocs) May 3, 2017

(2 of 3) & have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team...

— Google Docs (@googledocs) May 3, 2017

(3 of 3) is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.

— Google Docs (@googledocs) May 3, 2017

If you clicked on the link and were affected by today’s attack, Google says you should visit myaccount.google.com/permissions to revoke the “Google Docs” app. Google Docs doesn’t require separate authorization as Gmail gives it by default.

Here’s what had gone down earlier today: an email would be sent to you, presumably from someone you’d know asking you to accept a Google Doc share request. Clicking the link takes you to a Google-hosted page where you’d be asked to log into your Gmail account, still, from a Google page.

So this link would take you to a third-party app, ironically, also called Google Docs. This app requests your account’s permissions and clicking “Allow” opens a can of worms. The app accesses all your contacts and sends them a similar fate.

It’s not to say that today’s event could have been avoided. Someone found a loophole and abused it, and the victims could have been even the most savvy of internet users. If any app ever requests permission to access sensitive information like your contacts, you should proceed with caution.

Via