A very convincing Google Docs phishing scheme is racing around the internet right now, which means you should avoid clicking any weird Google Docs that have been emailed to you recently — even if it’s from someone you know. It’s spreading incredibly quickly:
If you click the link, it asks for some access permissions to your Gmail account (which actual Google Docs links would not need), and then spams everyone in your contacts with a link to a Google Docs file. They, in turn, email everyone in their contacts, and so on. All of them seem to include the email address “hhhhhhhhhhhhhhhh@mailinator.com.”
What exactly the phishing accomplishes in unknown, but there’s an excellent explanation of how it works on Reddit:
It’s not the first time Google Docs has been used like this. There were widespread Google Docs email scams in 2014, 2015, 2016 — if you stare hard at those numbers, you can almost see a pattern forming. This one does seem to be more subtle and advanced; it only asks for permissions, not that users enter their password. It’s also widespread — hitting media organizations, technology companies, and entire schools:
If, by chance, you received this email and clicked on the link, here’s what you need to do:
1. Go to your Gmail account’s permissions settings at https://myaccount.google.com/permissions.
2. Remove permissions for “Google Docs,” the name of the phishing scam.
I’ve emailed a few cybersecurity people and Google to ask what’s up, and will update with responses. The Electronic Frontier Foundation has confirmed that it’s a “credential hacking” attack that gives itself the ability to spam your contacts, but not malware that affects your entire computer — which means that as long as you remove any permissions you gave it, you’re safe.
Meanwhile, if you do get a random Google Docs link, here’s what to do:
Stay safe out there.
Update, May 3, 2017, at 5:20 p.m.: An official statement from Google, saying the attack has been stopped: “We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”
