A wave of “Google Docs” phishing emails infiltrated the world wide web Wednesday afternoon, affecting internet users at Cornell and beyond.
The emails arrived in a user’s mailbox from an anonymous sender claiming to be delivered from a familiar contact. The email contained a convincing invitation to view a “Google Docs” file, with the subject line reading, “________ has shared a document on Google Docs with you,” and the body reading “________ has invited you to view the following document,” similar to an email from an actual invite.
By clicking on the link, users give permission for a malicious app to connect to their Gmail accounts and to access their personal information. The app can also send emails from the impacted account, making it appear that subsequent emails are from that person.
The hack does not only affect Gmail accounts, but any accounts that use Google’s email service, such as Cornell’s Cmail.
Cornell IT posted a security alert about the phish at 3:51 p.m. Wednesday.
“Cornell has taken steps to block the malicious websites,” the alert said. “Users who have clicked the link in an email should change their NetID password. Updates to this alert will be forthcoming.”
“The funny part is that I was actually expecting an email from the person who didn’t realize they were phish-emailing me, so when I opened it I was not expecting it to be [suspicious] at all” Samuel Cantillo ’19 said. “Luckily I was on mobile and the Google Doc thing couldn’t correctly open for me.”
But the phishers did not pull off the perfect scam, leaving several indicators that the “Google Docs” notification was not legitimate.
One way to confirm that the email was malicious is that the email was addressed to “firstname.lastname@example.org.” Another way to tell, according to some who got the phish, is by the layout.
“At first sight it was good enough to fool me,” Cantillo said. “But the layout is pretty off. Google docs usually has the Google doc symbol when someone shares a doc with you – this one didn’t.”
It is unclear who is behind the attack but Google said that it took steps steps to counter the attack.
“We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users,” Google said in a statement to Gizmodo, a technology website. “We protected users from this attack through a combination of automatic and manual actions … We were able to stop the campaign within approximately one hour.”
And while Google admitted that some contact information was accessed, “our investigations show that no other data was exposed.”
“There is no further action users need to take regarding this event,” Google added.