The first thing recipients saw was an email from someone on their contacts list, sent with the familiar subject line "…has shared a document on Google Docs with you." From there, the email presented a line of text ("…has invited you to view the following document"), followed by an official-looking "Open in Docs" button. If users took the bait, they would then be prompted to log in to Google anew — and their contact lists would be duly harvested.
While seemingly simple, the scam was extremely cunning, and exploited the openness of Gmail to the full. In essence, the login page looked exactly like a Google login page because it in fact was — the scam Docs app was a third-party extension that could be legitimately added to a Gmail account if authorized, just like extensions such as Boomerang.
This is achieved via an open protocol called OAuth, the same system that lets users log in to Facebook or Twitter via their Google account. Anyone can make an OAuth application, and in fact Google depends on the platform heavily — independent developers create new applications, and the company then builds upon them, incorporating them into their various products. Adwords, Gmail, Adwords and Search are all augmented with third-party provisions.
Phishing (or malware) Google Doc links that appear to come from people you may know are going around. DELETE THE EMAIL. DON'T CLICK. pic.twitter.com/fSZcS7ljhu— Zeynep Tufekci (@zeynep) May 3, 2017
Many other tech giants have special login processes for their products, but Google does not. Moreover, Google converses with users via email, making it harder for users to tell when they receive a scam email.
"We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We've removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail," Google said in a statement.
The attack's impact was arguably minor — the millions of indentikit emails being blasted out did not go unnoticed by Google's eagle-eyed administrators, and the scam was quickly neutered, with the phony Google Docs extension blocked outright. There is no suggestion any passwords were actually compromised, but even though the attack is estimated to have affected less than 0.1 percent of users, that equates to as many as a million people or more.
An individual, Eugene Pupov, even came forward on Twitter to claim he was behind the attack, and it was in fact an accident — a botched test-run of a program he had created as part of a course at Coventry University. However, the University has denied the man is or ever has been a student at the institution, and "his" Twitter account has since been deleted.
Nonetheless, the weaknesses the hack exploited are significant, and they will not — perhaps cannot — be remedied. Any open digital platform can easily be abused, and emulative scams have even infected Google Play Store, with developers creating malicious apps that are indistinguishable from legitimate, popular apps. They cram these apps, and their corresponding review sections, with adverts — and can reap significant income from ad revenue.
As with scam emails, Google has dedicated teams charged with identifying and removing the apps, but there's no way to prevent them burgeoning in the first place. Open platforms are vital for internet users, but they also facilitate an online environment in which few are completely cognizant of what they can trust.
Still, Google has announced they are introducing new anti-phishing protections — on the Gmail app, for Android users. The measures include a warning from Google when a user receives a phishing link, saying, "the site you are trying to visit has been identified as a forgery intended to trick you into disclosing financial, personal or other sensitive information."
There has been a significant spike in phishing attacks in 2017, with classic net vulnerabilities often being exploited anew. In April, it was revealed a longstanding weakness in browsers still allows criminals to create scam websites that perfectly emulate real ones — right down to the web address.