Google Docs users were hit by a widespread phishing attempt everywhere being spammed with what appeared to be malicious invitations to log on to their Google accounts. Unlike your garden-variety cyberattack, many of the telltale signs that could tip off that something was awry are absent.
What made this attack so tricky to detect was that it took advantage of Google’s legitimate tool for sharing data with responsible third-party apps. Since the bogus invitation was being routed through Google’s real system, nothing was misspelled, the icons looked accurate, and it’s hard to know something’s gone wrong until was too late.
Google has confirmed it has now fixed the phishing attack. “We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts,” says a Google spokesperson. “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again.”
It’s not immediately clear how an attacker was even able to execute such a sophisticated phishing attempt. Attackers took advantage of a weakness, that may or may not have existed for some time, in Google’s system that allowed developers to create a non-Google web app with the “Google Docs” name.