GMail had a bad case of the phishers.

GMail base case of the spammersAbout 1 million GMail users were subject to a very clever phishing campaign last week. “What’s phishing?” I hear you ask. It’s basically an e-mail that persuades you to take an action, which ends up compromising you in some way. In this case, you receive an e-mail with an apparent Google Docs attachment. If you follow through with it, all of your e-mail contacts will receive the same phishing e-mail, but coming from you.

Fortunately there was nothing destructive in this phishing campaign, but it did cause quite a lot of consternation because it could have been very nasty. It was quite clever in how it fooled it’s victims.

What the evil doers did was to create an app called “Google Docs” … not to be confused with the official one from Google called … errrrr … “Google Docs” ?.

They then sent out their phishing e-mail, which looked like this:

In later occurrences of the phishing campaign, the blurred out name in the image above, was probably somebody you know or at least you were on their contact list. If you click on the “Open in Docs” button above, you launch the app called “Google Docs”, which sounds like the right kind of thing to happen – right? Then you get the following pop-up, which looks fairly legitimate, because it is:

The reason it’s legitimate is because this is the standard screen from Google in regards to this “new” app that you want to execute. The app developers (the bad guys) had to specify what permissions their app needed to carry out it’s nefarious deeds on your e-mail, and so Google helpfully popped up this window to ask you to give permission to the app for the parts of your GMail profile that it needed. Don’t freak out, there could be genuine reasons an app needs these particular permissions, so this would not have been a red-flag to Google … the app name on the other hand … ?.

Anyway, if you click “allow”, the app goes ahead and uses your contacts to e-mail a new copy of the phishing e-mail to all your contacts.

Fortunately Google resolved the issue reasonably quickly. If you think you might have been a victim of this attack, you can check very quickly by going to this link and if there is something in the list called “Google Docs”, then left-click on it and hit the “Remove” button. You’ll then be safe again, for now.

This was really clever because the evil doers were able to create a sneaky app, with a ridiculously trusty name, which then fooled people into granting seemingly required permissions in the platform (Google in this instance) to enable the app to do something bad. There are other platforms that use a similar set-up – Facebook and LinkedIn, so be on the lookout for any messages which try to execute apparently genuine “apps” that may try to give you a very bad day. Treat all messages that want you to do something that is out-of-the-ordinary with great suspicion. Or you could go all biblical on them and follow Commandment 5.

BTW – Google didn’t reveal the number of affected users, they just said less than 0.1% of the GMail accounts were affected – a tiny fraction, right? Well given they had over a billion users this time last year, means the not insubstantial figure of 1 million is how many were affected. ?