Gmail made headlines in early May as a one-hour phishing scam hit users, prompting a rapid response from the search engine company to roll out a secure app update in around 60 minutes.
The exploit began when users received a legitimate-looking email purporting to be from a known and trusted contact, and asking them to follow a link to edit a Google Doc.
In turn, the linked page prompted users to give permission for a third-party service called ‘Google Docs’ to access their email data.
However, this service was actually part of the phishing attack and, when activated, could harvest the Gmail account’s address book, as well as emailing itself out to more unsuspecting victims.
Google were quick to respond to the vulnerability, putting out an updated Gmail app in around an hour, and claimed that less than 0.1% of Gmail’s user base were believed to have been affected.
They also stressed that the attack, while it was able to read victims’ address books, did not pose any ongoing threat or require any further action on the part of the rightful email account owner.
Phishing attacks in general work by trying to trick email users into revealing personal details – such as login names, passwords and other security information – by masquerading as legitimate requests or links to pages where such information might seem reasonable, such as spoof login screens.
This latest Gmail phishing scam is slightly unusual in that the initial emails appeared to come from trusted sources, while the malicious third-party service had the legitimate-sounding name ‘Google Docs’ in the installation prompt.
As would-be hackers get more sophisticated in spoofing legitimate communications and services, it’s harder to spot an attempted attack, but you can stay safer by thinking carefully about any unexpected invitations from friends to open or edit documents.
Would that person ordinarily ask you to do that? Does the email, the link or the web page it loads look legitimate, or are there any suspicious design flaws or unusual spellings and grammatical errors?
If in doubt, don’t open the link or file attachment until you have double checked with the sender – and if they have no knowledge of the email, consider reporting it to your ISP or email provider as spam.
Google’s Gmail app on Android devices was quickly updated to prompt users when a potentially malicious link is detected in emails, although the search engine giant warned that the update could take three days to roll out to all devices.
While there is also a risk of ‘false positives’ where legitimate links are marked as phishing attacks, it’s important to heed any such warnings and ultimately to make an informed choice about your own security and whether to visit what may be a malicious page.