Google shuts down massive Google Docs phishing scam

Make sure you know what you're clicking on.

Andrew Morse Former executive editor
Andrew Morse is a veteran reporter and editor. Before joining CNET, he worked at The Wall Street Journal, Reuters and Bloomberg, among other publications.
Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Andrew Morse
Alfred Ng
2 min read
Watch this: Google shuts down a big security problem

Google shut down a massive phishing scam that targeted users of its Google Docs service. You know, basically everyone.

The sophisticated phishing scam spread across the web on Wednesday afternoon, tricking people into giving up access to their Google accounts. Some people, like Reddit user JakeSteam, said the scam is so sophisticated it's virtually undetectable.

After offering some obvious advice -- don't click on the link -- Google tweeted it had wrestled the situation under control.

Phishing, of course, is nothing new and Google users get targeted often. In 2014, a similar scam targeted Docs and Drive users. The current ruse appears to have targeted journalists and educators, according to reports.

This scheme is different because it focuses on stealing access to your account rather than stealing your username and password. The attacker created a rogue app made to look like Google Docs, which unsuspecting victims would grant permission to.

Granting permission to a Gmail account is the "equivalent to having access to a username and password," Liam O'Murchu, director of Symantec's Security Technology and Response group said in an email. That means that victims could have been phished without even typing in their password.

Once the scheme tricked its victims, it would send emails to that person's contact list, in hopes of spreading itself. Google has since disabled the fake app.

The scam sent potential victims a link that appeared to be a Google Doc from someone they know and then directed them to Google's account selection screen, JakeSteam wrote. The emails looked legit but are addressed to "hhhhhhhhhhhhhhhh@mailinator.com."

Mailinator tweeted that it wasn't responsible for sending the emails.

First published May 3, 1:25 p.m. PT.

Update, 2:33 p.m.: Updates with news Google has fixed the problem, and at 4:07 p.m. with details on how the phishing scheme worked.