back to article Don't click that Google Docs link! Gmail hijack mail spreads like wildfire

If you get an email today sharing a Google Docs file with you, don't click it – you may accidentally hand over your Gmail inbox and your contacts to a mystery attacker. The phishing campaign really kicked off in a big way on Wednesday morning, US West Coast time. The malicious email contains what appears to be a link to a …

  1. Throatwarbler Mangrove Silver badge
    Stop

    I got mine

    Fortunately it wound up in the Spam folder, so I had to actively seek it out.

    1. bazza Silver badge
      Unhappy

      Re: I got mine

      I've not had one. I think that means I have no friends :-(

      1. bazza Silver badge
        Mushroom

        Re: I got mine

        Ah, had one now. I have a friend!

        Oh, it's from them. How did they get my email address?

      2. phuzz Silver badge
        Happy

        Re: I got mine

        If you didn't get one, it might mean that all your friends are too savvy to click on a link in a random email.

    2. Anonymous Coward
      Anonymous Coward

      Re: I got mine

      "grabs contacts, peeks at inbox, spams everyone"

      Sounds like native Slurp functionality to me. I'm surprised anyone noticed..

      1. Anonymous Coward
        Anonymous Coward

        Re: I got mine

        1) Google doesn't look at your contacts or send you spam. They have an algorithm that scans emails and places ads, rarely, on the top line but even then not in the primary inbox and only in the social and promotional tabs. 2) Do you object to the idea that they may occasionally show you an ad to pay for the massive investments in infrastructure and engineering to build these services? Then pony up a couple of bucks a month and Google will give you an enterprise account with no ads, scanning, etc. If you would rather Google didn't ever show you an ad and you don't want to pay anything, then you just asking for a free lunch and building things costs money. I don't see what else they could do.

        "I don't like ads so I don't use Google (or, really, the internet in general as everything is ad funded including El Reg being funded by Google ads)" is reasonable. "I don't like ads so I pay to not see them" is reasonable. "Google owes me services and can't ever make money in anyway, either directly or indirectly, to pay for those services" is not reasonable.

        1. Terry 6 Silver badge

          Re: I got mine

          Re: AC I sort of agree. I started blocking ads only when they became intrusive. I'm wary of the likes of Google collecting too much data ( to sell), that's a step too far beyond showing me ads for stuff. And I feel aggrieved that they are able to do so by having command of the mobile phone business.

        2. MyffyW Silver badge

          Re: I got mine

          Google categorized an email I received from Jeremy Corbyn as "Promotions" - think that might be wishful thinking on Jezza's part.

          1. Anonymous Coward
            Anonymous Coward

            Re: I got mine

            Google classified all e-mails I got from Marine Le Pen's Front National as spam (unlike those from the other candidates). Although I couldn't agree more, I'd like Google to let me choose my own political opinions.

            Ta very much.

            1. fran 2

              Re: I got mine

              I manage a G suite domain, all emails from G suite alerts to end up being classified as spam!

  2. Ian Michael Gumby

    Meh!

    I looked at the message (got it 3 times to 3 different addresses) all from the same guy.

    I Ping'd him to ask if it was real. He said he got hit by the scam.

    Too easy to figure out and avoid.

    But then again... I have a little guy on my shoulder with a pitchfork prodding me every time he sees a con.

    (The angel guy is off at the pub and the devil guy got bored and is my internal paranoid voice... )

    1. Florida1920

      Re: Meh!

      (The angel guy is off at the pub and the devil guy got bored and is my internal paranoid voice... )

      As you've seen, just because you're paranoid, that doesn't mean they're not out to get you.

    2. Anonymous Coward
      Anonymous Coward

      @Ian Michael Gumby, re: shoulder angels...

      You're lucky, Cthulhu is my *good* shoulder angel. Donald Trump is applying for the other one.

      *Cough*

      1. Ian Michael Gumby
        Boffin

        Re: @Ian Michael Gumby, re: shoulder angels...

        Sorry, but the Trump bashing is passe.

        Look he won the election and so far, he's doing a decent job. He'd be doing a better job if the Freedom Party (Really Right Wing Republicans) and the Democratic Party (All of them) Actually sat down and did their job.

        Trump is POTUS, Schumer is a Congress Critter. Free clue to Schumer. You don't ask the mountain to go to Moses. Moses climbs the mountain. Last time I checked. POTUS outranks Congresss Critter.

        As to the bad angel, (The devil is a fallen angel) , he's attached to my shoulder via a spell ...

        And no, I'm not really paranoid. ;-)

  3. Adam 1
    1. Jamie Jones Silver badge

      Bastard!

      1. deathOfRats

        HEY! JAMIE! ... THIS! IS! https://forums.theregister.co.uk/!

        And you have a Silver Badge.

        You should have known better.

    2. Sixtysix
      Joke

      Really...?

      So not cricking that link

  4. Jason Hindle

    Happy to be one of the forty eight percent

    Who don't fall for this shit.

    1. Anonymous Coward
      Anonymous Coward

      Re: Happy to be one of the forty eight percent

      It is kind of odd that more people didn't pick up on this scam. There were several warnings - some crazy email is in the send line. you have to think that most people would find it odd that someone is suddenly sharing a doc with them for no apparent reason. when you click on a shared doc link... it should take you to the doc, instead this has a dialogue where it actually asks to you to allow to take control of your email and your contacts (which doesn't make any sense if you are opening a doc). I get that many people just click allow, allow, allow to get to whatever they are trying to get to, but you would think that if you are receiving a doc from someone you don't expect to be receiving a doc and the doc has no name on the file which makes sense, then you would wonder what this is about and be on alert when it asks you for your contacts and email control.

      1. deathOfRats

        @AC: Re: Happy to be one of the forty eight percent

        Common users applying logic and common sense to an unexpected email with a link|attachment to an unsolicited file|URL?

        That will be the day when I grant them all admin privileges.

        (Edit:) Sorry, forgot to mention about the dialog box thingy, that was a good one. Nearly peed meself.

    2. werdsmith Silver badge

      Re: Happy to be one of the forty eight percent

      0.1% of gmail users.

      Not many then.

  5. danR2

    Is Alphabet's soup losing a few letters?

    I get the impression they are not merely doing more and more shady things, they are doing things more and more fumbley.

    1. Anonymous Coward
      Anonymous Coward

      Re: Is Alphabet's soup losing a few letters?

      How is this a Google screw up? I got an e-mail from my "bank" the other day, with lots of grammatical errors and misspellings, asking me for my credit card number and login information. Man, my bank really screwed up there!

      1. Anonymous Coward
        Anonymous Coward

        Re: Is Alphabet's soup losing a few letters?

        >How is this a Google screw up?

        Well they did allow someone to register a rogue web app named "Google Docs" and then showed that name to unsuspecting users without questioning it first. When Google displays a message to the user then the contents could take on a sense of greater authority than they deserve: users might think "Oh Google is telling me that one of their apps needs access to my account". Most El Reg readers know to be more suspicious, but many regular folks will take it at face value.

        Many websites have filters to prevent people from gaining assumed authority, for example by blocking people from registering screen names which make it sound like they are part of the website operator, for example variations of "admin", "moderator" and "Company Name Here" should be rejected among others. It wouldn't be unreasonable to expect Google to check the app names people register and reject anything which is a third-party attempting to impersonate Google. The name had "Google" as a substring after all, it's not hard to detect.

        That said, Google did well to shut it down quickly so at least they had a decent response.

        Google screw-up aside, I like the rest of your comment ;)

        1. danR2

          Re: Is Alphabet's soup losing a few letters?

          It's not a 'screw-up', and that's not what I meant, whatever he meant. It's a phishing vulnerability, and indicative of a growing host of fumbley things Google is doing that go sideways for end-users, some trivial, some inconvenient, most addressed in Google's usual opaque manner. Nor is it just Google, but Facebook and others.

      2. danR2

        Re: Is Alphabet's soup losing a few letters?

        I can take the 'credit' for using an ill-defined word like 'fumbley' so loosely, but can 16 upvoters really have agreed with such a straw-man analogy?

        Nor, I hope, has The Register base fully committed to an about face on the slogan 'biting the hand that feeds IT', especially regarding the biggest cyber-billboard on the planet in the garb of a (increasingly fumbley, ill-mannered, inconsiderate) search-engine.

  6. Anonymous Coward
    Anonymous Coward

    Our users racked up receiving 55 of these at last count. Apparently a lot of K-12 schools in the US use Google resources, and since our customers are school districts, well... let's just say they appear to need a lot of awareness training.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ooooh...

      Agreed - local to me it was two school systems and the YMCA that fell for it.

      We do a bit of email and web hosting at my company, and I updated the spamassassin servers early on to identify and trash the message but some slipped through before then. So tonight I ran a scan against the mail stores deleting the messages and notifying any user that had one of the messages in their mailbox that they were potentially affected. I was surprised at the number of them I found in the SENT folders, as the users seemed intent on forwarding it on to people who weren't initially infected.

      I may be also adding some body rules to weight any messages with links to .pro and .win GTLDs a bit higher. I know it won't help a lot, but I still haven't seen any legitimate traffic originate or link to one of those domains.

  7. Anonymous Coward
    Anonymous Coward

    Yessss!

    In knew being Johnny-no-mates would pay off.

  8. RyokuMas
    FAIL

    Tut tut tut

    "Apparently no one at Google thought to block someone calling their app Google Docs."

    Due diligence, anyone?

    Tuttity fucking tut.

  9. SnowCrash

    Meraki

    Seem to have added Google to their phishing block list

  10. pitrh

    Never got one. Could I see headers, pleas?

    I appear to be one of the few who did not get one of these. Nothing on the gmail account I occasionally use for G-ish things, but no sign at my own site eiter.

    So I'm trying to find out whether some of these were indeed aimed at some of our users but were quietly taken care of by greylisting. If you have any of these messages preserved, would care to share Received: headers so we can check for any patterns to search for in preserved greylist dumps?

    - Peter

    1. Tomato Krill

      Re: Never got one. Could I see headers, pleas?

      I think you are missing the obvious - there are presumably (by Google's figures) approximately a million examples at hhhhhhhhhhhhhhhh@mailinator.com, Shirley?

  11. Anonymous Coward
    Anonymous Coward

    Can we assume that this is mainly aimed at those that use the web mail or app interface?

    Anything sent to my g-mail account (I needed one for my tablet to start) is directed to my text only e-mail program and has to pass the bogo filter before it gets to the in box. The fact it is text only either shows the full url for links or blanks them out.

    html e-mail sucks.

  12. Bucky 2

    It's a kind of social commentary

    Okay, wait. It's a mail to hhhhhhhhhhhhhhhh@mailinator.com AND it asks for permission to access your email and your contacts?

    And not only that, but an industry which people expect to be populated by critical thinkers is hardest hit?

    If the press ever needed an example of why it's not someone else's fault that people are losing faith in them, here it is.

  13. DropBear
    FAIL

    Thanks a lot Google...

    ...for "protecting" me by not allowing my Android Gmail app to log in (sync?) at all. I mean it's not like anybody will miss that payment I don't make because I have no idea I received an invoice unless I actually log in via web and check. Oh, and the cherry on the top of the batshit insane fruitcake? The app DOES actually log in and sync if I delete all cache, data, everything, restart the phone etc. - ONCE (just enough to download any new mail), then immediately fails to sync (log in?) any further, with various error messages of pitiful impotence. Considering this has been intermittently going on for days now (likely started since the attack), how about you finally get your shit together and let me read my mail already, Google?!?

    1. Anonymous Coward
      Anonymous Coward

      Re: Thanks a lot Google...

      ... not allowing my Android Gmail app to log in...

      Email on a phone or tablet? There's K9 mail for that. Why the @#@$@ would you use anything else?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like