Journalists in newsrooms across the United States are swapping warnings about what appears to be a widespread phishing attack, sent via a particularly sneaky invitation to a fake Google Doc.
The scope of the attack is not limited to news organizations, but appears to be spreading on a massive scale through people’s contacts. If you’re concerned your account has been compromised, you can go to Google’s security page to adjust permissions. (Look for “manage apps,” and revoke access to untrusted apps.)
Several IT experts are describing the attack as huge, startlingly fast-moving, and perplexing. Just in the course of writing this short post, I received two separate emails that appear to be part of the attack. In one Reddit thread, where people are trading information about the attack, someone describes the scam as “almost undetectable.” But there are clues to look out for—both of the suspicious emails I received were sent to an odd email address, firstname.lastname@example.org, with me blind-copied.
There are two big reasons why this thing is so tricky. For one, it looks legit: An invitation to view a Google Document appears to come from an existing contact. But when a person clicks on the link, the attack immediately replicates itself—meaning, it has the potential to spam all of that person’s contacts with the same message. The second reason it’s so tricky is that it’s unclear what the attack is attempting to do. Phishing is often a way for bad actors to gain unauthorized access to a person’s email or other private accounts, but it’s not yet clear what’s motivating this attack.
ALERT: Widespread phishing email at BC appears to link to shared Google doc. Do NOT click on these links. BC IT working to block the msgs.— Boston College (@BostonCollege) May 3, 2017
Hey, if you're a journalist getting hit with random Google Doc invites right now, do not click. Forward phishing attacks to email@example.com— Sarah Jeong (@sarahjeong) May 3, 2017
There's a widespread Google Docs phishing scam affecting all kinds of people (e.g., not just gov't or journalists) today. Be careful.— Waldo Jaquith (@waldojaquith) May 3, 2017
Phishing (or malware) Google Doc links that appear to come from people you may know are going around. DELETE THE EMAIL. DON'T CLICK. pic.twitter.com/fSZcS7ljhu— Zeynep Tufekci (@zeynep) May 3, 2017
Look maybe hhhhhhhhhhhhhhhh just really wants everyone to see the Google Doc they've been working on— Keith Collins (@collinskeith) May 3, 2017
As in most cases of widespread cyberattack, vulnerabilities are found, exploited, then eventually patched—before hackers figure out the next way to game the system and the cycle repeats itself. A spokesperson for Google told me she would look into what’s happening, but didn’t immediately have any information to share.
Later, Google tweeted that it had “removed the fake pages” and is working to “prevent this kind of spoofing from happening again.”Google encouraged people to report any potential phishing attempts within Gmail.