Cyberattacks like the ransomware attack we saw last week serve as wake-up calls for Information Security (or InfoSec) professionals. All too often we see businesses and individuals trying to remedy a security breach after it happens, and this provides a real challenge. How will the next attack happen? This is the question—the repeating mantra—of Infosec professionals, and they have a wide variety of options to choose from. A ransomware attack where the infiltration locks out users from their data? A denial of service attack where household appliances will endeavor to bring your website down?
Or will it be a Google document?
Yes, a Google doc.
If you get a request to open up a Google Doc, either through your email or your Google account, don’t click it. This is a phishing scam that is going around. The scam works like this: You get an email from a friend, asking you to look at a Google Doc. When you click “Yes” Google Docs will ask for permission to access your account, including permissions to see and manage your email and contact lists.
So far, you’re fine. This is normal, especially if you are receiving attachments on a regular basis. However, if you are alerted to an attachment that you may not have expected, the second you grant access to your account, this Google doc will access your addresses and send out messages to all of your contacts with a similar link to the one you have received. This is how the attack propagates in an attempt to spread itself further. Once it mails itself to other accounts, the offending Google doc deletes itself from your account.
This is exactly how phishing works. It’s all in the name. The emails, messages, and attachments are all sent to random emails. It’s casting a net wide, much like actual fishing, and hoping for replies. When the random emails are replied to, these leads are the scam’s in to the target. Most phishing scams are possible to spot because, to some degree or another, they don’t look right. Bad grammar. Misspelling of recipient’s names. The accompanying graphics look off. This particular Google doc scam suffers from none of these failings because it is done almost completely through Google’s legitimate, trusted system.
This scam appears to use an actual legitimate third-party Google application that somehow got the name “Google Docs.” Therefore, when it asks for permission to access your account, it’s doing so on the up and up. Since it’s using Google’s actual framework, it doesn’t have to fake anything, making it next-to-impossible to spot. This app is not stealing your password through nefarious means or anything. It is legitimately asking for access to your account and even spelling out what that access is before you click. It’s incredibly clever, and equally dangerous.
Google has been working to remedy this misstep on their part. They have taken action to protect their users against email and attachments impersonating Google Docs by disabling offending accounts. Since taking this initiative, Google has removed fake accounts and pushed updates through Safe Browsing.
This does not mean you rely on Google to take care of you. Be careful. Don’t give any applications permission to your account unless you’ve vetted them as best as you can. And don’t click on any Google Doc requests you aren’t expecting. Confirm that these communications are legitimate through conventional means, like a phone. You know, that device you use to post on Facebook and post Instagram updates. With a quick phone call, you can easily avoid these types of scams.
A research physicist who has become an entrepreneur and educational leader, and an expert on competency-based education, critical thinking in the classroom, curriculum development, and education management, Dr. Richard Shurtz is the president and chief executive officer of Stratford University. He has published over 30 technical publications, holds 15 patents, and is host of the weekly radio show, Tech Talk. A noted expert on competency-based education, Dr. Shurtz has conducted numerous workshops and seminars for educators in Jamaica, Egypt, India, and China, and has established academic partnerships in China, India, Sri Lanka, Kurdistan, Malaysia, and Canada.