If you’ve got a Gmail account, you’re vulnerable to the latest, massive cyber threat. A phishing scam is sweeping the Web at the moment and your Gmail (and all online accounts you pair it with) could be susceptible. It may not be clear who is pulling the strings behind this latest, rapidly spreading Google Docs phishing scam and what their motivation may be, but one thing is for sure: a million accounts may have already been compromised.
Massive Possible Damage
This phishing scam is no ordinary threat, by any means. People whose emails have been compromised are highly susceptible because the ‘worm’ gives hackers the power to take over the account.
Based on what has been observed from this threat so far, it’s pretty capable of accessing a user’s personal details and information. For those who’ve already been affected by this Google Docs phishing scam, the damage could potentially be massive.
How the Google Docs Phishing Scam Spread
The scam often begins with you getting an email from someone you know, asking you to check out an attached GDocs (Google Docs) file. Make the mistake of clicking on the infected link in the said email and you’ll then be taken to a real Google security page, where you’d be asked to give permission to the fake app—posing as a Google Docs—to manage your email account.
If you fell for it completely and gave permission to the disguised worm, it will gain access to your email and turn your account into a tool for spreading the hack further. The worm consequently then sends itself out to all of your contacts, whether they’re in Gmail or not, reproducing itself hundreds of times over every time someone fell for its trickery.
To be honest, this identity phishing campaign is a common one. The worm that was released yesterday, however, was anything but that.
The Worm’s ‘Sophisticated’ Construction
According to reports, the scam affected “fewer than 0.1 percent of Gmail users”. Because Gmail roughly has around 1 billion users worldwide, this figure may easily mean that the Google Docs phishing scam has successfully cracked at least a million accounts.
Millions of users fell for the trap because of the phishing scam’s unusually sophisticated construction. Not only is the malicious link in the email remarkably realistic, the email itself also came from someone you already know. It even manipulated Google’s real login system.
A Potential for a Disaster
“While contact information was accessed and used by the campaign, our investigations show that no other data was exposed,” a Google spokesperson revealed to NBC News an hour after such scary attack got exposed via social media.
Even if Google has “disabled” the malicious accounts affected by the worm, it could have easily been a disaster for the unsuspecting victim. Gaining full control of your Gmail meant that scammers could’ve retrieved personal data you’ve sent or received using the compromised email. You could be handing over access to your Facebook, Amazon, and other accounts, including online bank accounts.
A Key Giveaway
By now, you can see a red warning appearing on the malicious email, saying it could be a phishing attack. If there isn’t any warning shown, be on the lookout for one obvious giveaway: a fake email address in the main recipient field.
While there isn’t anything suspicious about the email at first glance, look over at the main recipient field and you’ll see that the message has been sent to a fake email address— firstname.lastname@example.org. You’ll likely see your address in the BCC field.
What to Do Next
At this point, we highly recommend that you only click on Google Doc links from emails you were expecting. Be absolutely sure that you are supposed to receive such a link from a contact before even attempting to open the email.
If you have received this Gmail message (the one with the mailinator.com address as the main recipient), report it as phishing immediately. Click the down arrow beside the reply button and select “Report phishing” option. Afterward, delete the email.
In case you’ve inadvertently clicked on the link, go to Google connected sites console and revoke access to Google Docs. This should hopefully keep hackers from being granted permission to access your email via GDocs. It might be a good idea to revoke permission for any other listed apps that you don’t recognize while you’re checking out the page.
For good measure, we encourage you to change the password to your Gmail account, too.
Expect even more phishing hacks to land in your Gmail inbox this year. And if you’re wondering how to fortify your Google account’s defenses against cyber threats like these… we’ve got 7 tips and tricks to make Gmail more secure.