With the intention to gain control of their entire email histories and spread itself to all of their contacts, an unusually sophisticated identity phishing campaign appeared to target Google’s roughly 1 billion Gmail users worldwide, Google has confirmed.
Users were asked to check out an attached “Google Docs,” or GDocs, file by the worm — which arrived in users’ inboxes posing as an email from a trusted contact. Users were asked to give permission for the fake app, posing as GDocs, to manage users’ email account, after they were taken to a real Google security page by clicking on the link.
Reproducing itself hundreds of times any time a single user fell for it, the worm also sent itself out to all of the affected users’ contacts — Gmail or otherwise, to make matters worse.
Because of its unusually sophisticated construction, the worm that was released Wednesday caused havoc for millions of users even though the strategy is a common one. The email that delivered it also appeared to come from someone users already know — and the payload manipulated Google’s real login system apart from looking remarkably realistic and trustworthy.
Google said it had pushed updates to all users after it had “disabled” the malicious accounts. It affected “fewer than 0.1 percent of Gmail users” — which would still be about 1 million, said a spokesperson told NBC News on Wednesday night and that the vulnerability was exposed for only about one hour.
“While contact information was accessed and used by the campaign, our investigations show that no other data was exposed,” the spokesperson said.
For unsuspecting victims, it could have been a potential calamity. Scammers can harvest any personal data you’ve ever sent or received in an email with control of your Gmail account. And potentially letting the hackers take over, for example, your Amazon, Facebook or online bank accounts, that can allow them to generate password-reset requests on scores of other services.
Reporting that they’d received the malicious email, the social media got flooded by employees and others connected to large companies, especially educational institutions and journalism organizations.
But what can be done to prevent such thing in the future?
There was one key giveaway even though the malicious email was a dead ringer for a real message from a trusted friend. In the main recipient field, the mail was sent to a fake email address – firstname.lastname@example.org. Users’ addresses were included in the BCC field.
Phishing activity should be immediately reported by clicking the down arrow beside the reply button and selecting “Report phishing.”, if one received a Gmail message with the mailinator.com address as the main recipient. Then it should be deleted.
Don’t grant permission when the fake GDocs app asks for it if one does click on the malicious link.
One should go to the Google connected sites console and immediately revoke access to “Google Docs” in case one has already granted to the hackers.
Finally, the Google password should be changed.
(Adapted from CNBC)