Google Shuts Down Phishing Scam Targeting Google Docs Users

First, you get a message from a seemingly trustworthy contact, and they ask you to open a Google Doc. Granting the sneaky app access to your Gmail will let it peek into your account and start sending off invites on your behalf to everyone in your contact list.

The new security feature for Gmail for Android is being rolled out in phases. It used Google’s official pages and didn’t direct of the site, which many other scams often do.

However, OAuth can be unsafe in the wrong hands.

OAuth is the Open Authorization standard that enables online users to access third-party services without having to re-enter an account password. In essence, the login page looked exactly like a Google login page because it in fact was – the scam Docs app was a third-party extension that could be legitimately added to a Gmail account if authorized, just like extensions such as Boomerang.

Google was quick to shut down the offending accounts.

Last month, Trend Micro said a Russian hacking group known as Fancy Bear was using a similar email attack method that abused the OAuth protocol to phish victims.

The attack was stopped in a matter of hours, but now cyber security experts warn the way in which it was executed could lead to replicas using other popular platforms as cover. For example, in the Gmail phishing scam, one of the recipients was a user called hhhhhhhhhhhhhhhh@mailinator.com. It’s still a good idea to change your Google account password, which is really something you should be doing on a regular basis anyway.

By clicking on what looked like a standard mail, users ended up giving hackers control over their entire email history, attachments and contacts.

Security researcher Matt Austin replicated Wednesday’s phishing attack using Cyrillic script.

But even though Tuesday’s attack may have been novel, the dangers with OAuth are hardly new.

DeMarre’s not only clever enough to have figured out this kind of attack, he reported it to Google in 2012 and says, over on Hacker News, that he even received “a modest bounty” for his troubles.

That having been said there is no way to insure that you are 100% safe from cybercriminals but you can make the job of ruining your day just a bit harder.