Just about 40 minutes ago I began receiving Google Doc email invites from some of my contacts. The first thing that triggered red flags for me was the source. The emails have all come from a Mailinator email address (firstname.lastname@example.org). The other red flag is, there is no text in the body but just an invite to share Google Docs, a nice shiny blue button to click. Our advice, do not click that button. Actually, do not open any invite to Google Docs from any source you cannot absolutely verify.
UPDATE 4 (05/04/2017 07:15EST): An eagle-eyed reader has pointed out, fairly, that the Mailiinator service was not to blame for this attack and indeed that is true. We indicate that the emails were coming from a Mailinator email address but in reality, they were being sent TO the Mailinator address. Whoever came up with this phishing scam was using the Mailinator service in a malicious way. So we’d like to clarify that Mailinator is just as much a victim in this situation as were the email recipients.
UPDATE 3 (05/03/2017 22:13EST): A Google spokesperson has emailed us another official comment on this story:
We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There are no further action users need to take regarding this event; users who want to review third-party apps connected to their account can visit Google Security Checkup.” — Google Spokesperson
UPDATE 2 (05/03/2017 17:15EST): A Google spokesperson has emailed us an official update on this story:
We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.
UPDATE ( 5/03/2017 16:22EST):
We are investigating a phishing email that appears as Google Docs. We encourage you to not click through, & report as phishing within Gmail.
— Gmail (@gmail) May 3, 2017
We’re not exactly sure what’s going on, one of our sources wrote to us and had this to say.
Google users are being spammed everywhere. Google said they made a service change that broke and are attempting to repair shortly.
We have reached out to Google for an official statement on the matter and will update this post when we can. In the meantime, steer clear of strange email invites and delete, delete, delete.
Phishing (or malware) Google Doc links that appear to come from people you may know are going around. DELETE THE EMAIL. DON’T CLICK. pic.twitter.com/fSZcS7ljhu
— Zeynep Tufekci (@zeynep) May 3, 2017
Here’s Google’s G-Drive update about the situation, not much to go off of.
This Reddit post details the email and what the emails purpose is.
To summarize, this spam email:
- Uses the existing Google login system
- Uses the name “Google Docs”
- Is only detectable as fake if you happen to click “Google Docs” whilst granting permission
- Replicates itself by sending itself to all your contacts
- Bypasses any 2 factor authentication / login alerts
- Will send scam emails to everyone you have ever emailed