Fighting the Faux Google Doc Phish

May 10th, 2017
Vadim Vladimirskiy
Vadim VladimirskiyFounder & CEO, Nerdio

The nefarious actions of Internet thieves continue to highlight the importance of consistent, stringent data security practices. Recently, Google programmers discovered a phishing scam that targets users with a credible email stating that someone they know wants to share a Google Doc with them.

Upon clicking the link to view the document, users are taken to a legitimate Google page and asked to click on a link titled “Google Docs.” However, “Google Docs” is not the genuine article – instead, it’s malware that will ask for access to user contacts, passwords, etc. Once users grant that access, their hard drives are susceptible to the scammers’ attacks.

Exploiting vulnerabilities

What makes this phishing ploy different from most others is that is executed under cover of not one, but two allegedly secure shields:

  • The “sender” is almost always someone known personally by the recipient.
  • The scam makes use of Google’s actual login page.

The hijackers are successfully using trust placed in Google’s system to exploit Google customers.

google doc phishing scam


Preventing the attack

For years, computer experts have advised users to carefully examine all aspects of the emails they receive, including sender, subject, text, internal links and attachments. If any element is suspicious, users should delete the email without opening it.

However, the Google Docs phishing scam shows that no advice is perfect or complete. This particular scam has spread quickly because it bears none of the traditional warning signs in phishing emails, such as typos and grammar mistakes. Until Google’s engineers can contain and eradicate the threat, the simplest way to handle the issue is to simply delete unexpected emails regarding the sharing of Google Docs.

Treading carefully

Employers now face the tricky task of educating their staff about the threat while also encouraging them to continue offering high-quality customer service. One software expert suggests checking the link’s prefix, which is normally “http://” or “https://.” On suspect emails, the prefix may have an additional prefix, such as “data:text/html,” that precedes the “http” designation; the address might look like this: “data:text/” The precursor prefix is the address of the malicious account.

Another sign of malware is the number of permissions it seeks. Most Google-run apps do not ask for the ability to delete emails or send email addresses or other user information on behalf of a user. Users should carefully read all permissions listed before granting access.


Fixing mistakes

Even if the link has been clicked, you can still take steps to reduce the impact of the malware. Go to the Permissions page of your Google account and immediately revoke “Google Docs” access, then change your passwords and ensure that two-factor authentication has been set up for all users.

This phishing attack may be a warning that other similarly sophisticated hacks are on the way. Maintaining constant vigilance over email addresses, the links and attachments they carry and permissions you grant when clicking on links can help keep you from being exposed to the damage cause by this type of phishing attack.