Google Docs Phishing Campaigns

May 4, 2017

On May 3, 2017, the Multi-State Information Sharing and Analysis Center (MS-ISAC) received reporting from five states regarding a Google Docs phishing email campaign. The details of the attack are as follows:

  • The email body states “[name] has invited you to view the following document:” and includes a link to “Open in Docs”. The link opens to a legitimate Google login page.
  • Once the recipients enter their credentials or select an account, a permissions box for a fraudulent application hosted at hxxps://googledocs[.]g-docs[.]win requests access to the user’s address book and email.
  • Once the victim clicks “Allow” this provides the attacker access to their email account and address book but not their calendar. The attacker can then send phishing emails to other targets from the compromised account.

If you receive similar emails, do not click on any links and delete the email immediately.

Per a trusted third party, Google is aware of the campaign and has blocked the sender, and users should receive the Google 404 error if they click on the link. Google is in the process of shutting down the sender's site.

RECOMMENDATIONS:

We recommend the following general best practices, such as not opening suspicious emails or attachments or following suspicious links, as they may contain malware.

NOTE:  IF YOU GRANTED PERMISSION TO YOUR ACCOUNT, THESE PERMISSIONS CAN BE REVOKED AT THE "CONNECTED APPS AND SITES" PAGES OF GOOGLE'S ACCOUNT SETTINGS.  YOUR PASSWORD SHOULD ALSO BE RESET.