Google Docs App spam goes phishing

There’s a very clever phishing scam going around at the moment – originally thought to be targeting journalists given the sheer number of them mentioning it on their Twitter feeds, it’s also been slinging its way across unrelated mailboxes – from orgs to schools/campuses. This doesn’t mean it didn’t begin with a popped journo mailbox and spread its way out from there or that someone didn’t intentionally send it to a number of journalists of course – but either way, this one has gone viral and not in a “look at the cute cat pic” fashion.
Here’s how it happens
The potential victim receives an email claiming to be from a Mailnator account, which they dispute is related to their service.

Hitting “Open in Docs” takes the clicker to a genuine sign in page:

Where this all goes wrong is on the next page, which is actually giving an app permission to access the account. Somehow, nobody at Google thought of preventing people from calling their apps “Google Docs”.

Google Docs would like to
Read, send, delete and manage your email
Manage your contacts
After “Allow” is hit, the spam is then sent on to contacts. While 2FA would normally save you from a phishing attempt, in this case the victim is willingly giving permission to an App so 2FA won’t help in this case – the only solution is to see which Apps have been granted permission and revoke.
Here are some of the domains being used for this (all offline at time of writing, but there may be others):

Phish domains:
— Andre M. DiMino (@sempersecurus) May 3, 2017
Google is aware of the situation, and are currently working on it. We’ll update the post with more information as it comes in.
Christopher Boyd (Thanks to DioDesign and hrbrmstr for screens / data)
The post Google Docs App spam goes phishing appeared first on Malwarebytes Labs.
Click here for best antivirus and antispyware software

Powered by WPeMatico

This entry was posted in Antivirus and tagged , , , , , , , , , , , , , , , , . Bookmark the permalink.