Beware phishing emails posing as Google Docs invites (updated)
Someone is trying to hijack email accounts on a grand scale.
If you received an out-of-the-blue email purporting to share a Google Docs file, you're not alone -- and whatever you do, don't click the link inside. Many people online, including more than a few journalists, have been bombarded with phishing emails (currently from a mailinator.com account) that try to trick you into opening a fake Google Docs link. If you click through and grant a bogus "Google Docs" app access to your Google account, the perpetrators can get into your email. And of course, havoc follows after that -- the app spams email to everyone you've ever messaged, and bypasses Google's usual login alerts (including for two-factor authentication).
There have also been reports of Google Drive struggling at the same time, although it's not certain the two are related. Drive was up and running as we wrote this.
It's not certain who's behind the phishing attempt, or just what the fake Google Docs app is doing. We've reached out to Google for more. However, the company already says it's investigating the scam. The one thing that's for certain is the sheer scale and effectiveness of the attack. Both the email and the web pages look very legitimate, so it's all too easy for even seasoned internet users to fall prey to the attack. It could be a while before we know the full extent of the damage.
Update: Google tells Engadget that it has taken down the responsible accounts, pulled fake pages and delivered relevant Safe Browsing updates. Also, it's taking steps to prevent a repeat of this incident. You can read its full statement below.
"We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We've removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail."
Google has issued a second update detailing what happened and how it's protecting users from such exploits:
"We realize people are concerned about their Google accounts, and we're now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There's no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup."
