Sophisticated phishing attack that disguises itself as a Google Docs invitation

Flaming_Globe · May 3, 2017, 8:19pm

https://www.reddit.com/r/google/comments/692cr4/new_google_docs_phishing_scam_almost_undetectable/

This is an extremely clever phishing attack because it uses a legitimate Google login page and oauth prompt to gain access to the Gmail accounts of unsuspecting users. And most users likely click allow without thinking twice - when you think about it, it certainly is suspicious for a Google service to request permission to itself, but considering how often I use my Google account to login to various websites and apps, I doubt I would have thought twice if I was presented with this, and I consider myself somewhat aware of these scams.

Since this gives the attacker access to your Gmail account, not only can they start spamming all your contacts, but they can also read your existing emails. I have not yet gotten one of these, but my university's IT department has sent out warning messages because apparently at least one person has, and they clicked on it.

catsay · May 3, 2017, 8:22pm

Lol yeah someone published a 'Google Docs' named app that you get to allow access to.
Was fixed an hour ago btw google informed me.

It's kind of funny that it was allowed, such a simple thing, it must have just been overlooked.

Here's how long the fix took

https://www.google.com/appsstatus#hl=en&v=issue&sid=4&iid=c708d68b1884a629816e361895c125a5

Klingon00 · May 3, 2017, 8:59pm

I received one of these today from my kid's teacher. My spidy sense was tingling and didn't click the link and ignored the e-mail. I'm glad I did. Based on the number of similar e-mails I started receiving from other parents shortly after I'd say the attack was fairly successful and clever...

MazeFrame · May 3, 2017, 9:38pm

@Eden This might be worth pinning in the Discord

As for the topic:
Holy hell! I would not have fallen for it as I reject Google Drive/Docs etc.
This is one hell of an attack!