Alphabet Inc (NASDAQ:GOOGL) engineers were scrambling yesterday to contain a large scale phishing attack that used its Google Docs cloud-based productivity software.
Before they were able to shut it down, the Google Docs phishing attack had spread like wildfire, compromising the email accounts of those affected.
It was bad news for Google, but probably couldn’t have come at a better time for Microsoft Corporation (NASDAQ:MSFT), who launched the cloud and security focused Windows 10 S the day before.
How the Google Docs Phishing Attack Works
The Google Docs team took to Twitter early yesterday afternoon to warn users of a Google Docs phishing attack that begins as an email invitation to view a shared Google Doc.
The email usually came from a known contact, and the link goes to the legitimate Google sign-in page. As the user logs into their Google account, they’re prompted to authorize something called “Google Docs” to manage their Gmail email account. The problem is “Google Docs” was actually a cleverly named app — nothing to do with Google at all — and once it’s given those permissions, it goes to work.
The victim’s contact list is used to send the Google Docs phishing email to their contacts. And with the privileges to read, send and delete their emails, the “Google Docs” app operators had open access to the email accounts of those affected. That means sensitive information was potentially exposed and in addition, having control of the Gmail account means the potential for online services linked to that account to be compromised.
The genius of this hack is that it made use of genuine Google services instead of trying to re-direct users to a fake website.
Perfect Timing for Microsoft
Google engineers were on the case quickly to shut it down and minimize the damage. Yesterday evening, they posted an update on Twitter:
“We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail. If you think you clicked on a fraudulent email, visit g.co/SecurityCheckup and remove apps you don’t recognize.”
Still, the Google Docs phishing attack couldn’t have come at a more perfect time for Microsoft.
Chromebooks running Google’s Chrome OS and using Google Docs have been taking over the educational PC market, pushing out Windows. The big draw is cost, ease of use and security.
On Tuesday, Microsoft launched Windows S to take on Chrome OS and win back that market. Windows 10 S is positioned as being being far more secure than Windows 10, only running apps downloaded from the Windows Store — each of which has been vetted by Microsoft. Of course those trusted apps include Office 365.
As it launches its new security-focused OS aimed at the education market, Microsoft couldn’t have asked for better timing for Google Docs to suffer a large-scale security faceplant.
Aftermath of the Attack
Google is reminding users of the dangers of phishing and pointing out that its services would never request permission to take control of a user’s email account. They are also directing users to a Security Checkup for their accounts that includes checking all the devices logged in with their account credentials to confirm they are legitimate, and adding two-factor authentication.
It goes without saying that anyone who was affected by the scheme should probably change any online account passwords …
Cybersecurity has always been a concern, and yesterday’s Google Docs phishing attack shows that even the services we assume are solid can be vulnerable. The one good thing to come out of these attacks is a strengthening of the affected services to prevent a repeat.
Unfortunately, it can turn into a game of whack-a-mole as the bad guys try new attacks, but if users pay attention and take security more seriously, some overall good can come out of high-profile attacks like yesterday’s Google hack.
As of this writing, Brad Moon did not hold a position in any of the aforementioned securities.
