Recently, an email user opened a message and found an invitation to access a Google Doc. The sender’s name and email address were familiar to the recipient, so the person did as instructed. Shortly afterward, the recipient found that a hacker gained control of his account.
This recipient wasn’t alone in inadvertently giving a hacker control of his account. Many others fell for the same ploy by the people behind this phishing attack.
A phishing attack is a criminal’s attempt to make a target believe a message is from a legitimate source. The message usually contains a link or download disguised as something beneficial, but instead causes great harm. In this Google Doc attack, the victim received a message from an account commandeered by a criminal. The criminal likely gained access to the account and the contacts list in it from a previous phishing attack.
Since the recipient knew the sender of the message, he clicked on the link and followed instructions to download an application called Google Doc. Once downloaded, he authorized the app to manage his email account, including read, write, and delete privileges. This app wasn’t crafted by the well-respected Alphabet company, the owner of Google, but rather criminals seeking to benefit from unsuspecting targets.
After the message recipient gave email permissions to the app, criminals gained control of his account and everything in it.
Besides using his account for phishing attacks against others, criminals could use that access to gain valuable personal information or reset passwords at other websites the victim frequents, including social media, banking, and shopping sites. The damage a criminal can cause with a stolen email account is mind-blowing, but it can be stopped before it begins.
- If you weren’t expecting a file from someone, contact that person and ask if he or she sent the file. If not, the person’s email account might be compromised. Don’t access any material in the email.
- Don’t download an app just because someone sends you an email telling you to do it. Even if the request is from someone you trust, that person’s account may be compromised, or the person might not realize the harm a particular app might cause. Be skeptical.
- Do your homework. Carefully review rights and permissions for any applications you want to download before you download them. If it asks for sensitive information it shouldn’t have access to, avoid downloading the app.
Google has taken steps since this attack to prevent it from happening again. Criminals, however, never give up, and you can expect them to launch new attacks aimed at penetrating the defenses of unsuspecting recipients. Don’t become their next victim.
Stay alert, stay skeptical, and follow the advice above to keep a criminal’s dirty hands off your personal account information.