A clever email phishing attack spread like wildfire across the internet on Wednesday afternoon. But this was no typical phishing attack — so don't feel bad if you were fooled.
The email looked innocuous enough: an invitation, supposedly from a friend or past contact, to view a file on Google Docs. There were some giveaways that it was fake if you knew what to look for, but it was constructed in a way that even tech savvy users who clicked through might not have noticed something was wrong.
If you just opened the email, but didn't actually click the Google Docs link, your account is probably fine. But what if you did click the link?
Don't just change your password
Unlike other phishing attempts, which try to fool users by directing them to a fake Google login page, this attack directed users to a real Google account page. In other words, the URL in your browser wouldn't suggest anything out of the ordinary. It was legit.
However, some users quickly realized that even though the login page was real, the "Google Docs" app that was prompting users was not. Instead, someone created a malicious app with the name "Google Docs" to try and fool people into giving it access to their account — specifically, their contact lists and emails.
Once the fake "Google Docs" app had access to an account, it appears to have sent new phishing messages to all the contacts in the victim's address book, which is how the fake emails managed to spread so far so fast.
If alarm bells went off when you saw that "Google Docs" wanted access to your account and closed the page without giving it access, your account is probably fine.
If you granted the fake Google Docs app access to your Gmail account, changing your password is a good first step — but not the only one. You'll have to revoke the fake app's access to your account, too.
You can do this by looking at the list of Connected Apps & Sites under your Google account's security settings. It might also be a good time to see what other apps you've granted access over the years, and revoke any that you don't recognize.
OK, so who did it?
It's still not clear who is behind the attack, or what their fake app hoped to achieve. In a statement, Google said that while contact information was accessed and used, "our investigations show that no other data was exposed."
Fewer than 0.1 per cent of users were affected, according to the company — and although that might seem small, it could mean that as many as one million users received the message, considering Gmail has one billion monthly active users.
Motherboard reported that some journalists and researchers found an email address with the name Eugene Pupov linked to the phishing scheme, and that a Twitter account by the same name is claiming the scheme was an act of academic research gone wrong. But reporter Joseph Cox is skeptical of the claim.
"Coventry University, apparently the institution Pupov attended, told Motherboard in an email that there is no current or former student at the university by the name Eugene Pupov," Cox wrote.