Biz & IT —

All your Googles are belong to us: Look out for the Google Docs phishing worm

An e-mail disguised as a Google Docs share is ingenious bit of malicious phishing.

Don't click.
Enlarge / Don't click.

A widely reported e-mail purporting to be a request to share a Google Docs document is actually a well-disguised phishing attack. It directs the user to a lookalike site and grants the site access to the target's Google credentials. If the victim clicks on the prompt to give the site permission to use Google credentials, the phish then harvests all the contacts in the victim's Gmail address book and adds them to its list of targets.

The phish appears to have been initially targeted at a number of reporters, but it quickly spread widely across the Internet. Some of the sites associated with the attack appear to have been shut down.

The e-mail uses a technique that a Trend Micro report linked last week to Pawn Storm, an ongoing espionage campaign frequently attributed to Russian intelligence operations. The attack uses the OAuth authentication interface, which is also used by many Web services to allow users to log in without using a password. By abusing OAuth, the attack is able to present a legitimate Google dialogue box requesting authorization. However, the authentication also asks permission for access to "view and manage your e-mail" and "view and manage the files in your Google Drive."

The fake application used in the Pawn Storm phish (which posed as a Google security alert) was named "Google Defender." Today's phish asks the target to grant access to "Google Docs"—a fake application using the name of Google's service. If the target grants permission, the malicious site will immediately harvest contacts from the target's e-mail and send copies of the original message to them.

Here's how to spot the fake e-mail:

A view of the link in message source for one phish worm.
Enlarge / A view of the link in message source for one phish worm.

  • Your address will appear in the "BCC:" field, not the "To:" field, of the message, though the message will likely come from the e-mail address of someone you know
  • The "To:" address on many of the messages is an address at "mailinator.com"
  • The link to the shared document will, if viewed as "source," appear as a long string of text, including a Google Docs look-alike Web address using a non-standard top-level domain, such as one of these:

googledocs.docscloud.download
googledocs.docscloud.info
googledocs.docscloud.win
googledocs.g-cloud.pro
googledocs.g-cloud.win
googledocs.g-docs.pro
googledocs.g-docs.win
googledocs.gdocs.download
googledocs.gdocs.pro
googledocs.gdocs.win

[Update, 4:40 pm EDT:] Google has struck hard at the worm. Not only have all the sites associated with the phish been taken offline, but the permissions associated with the worm have been dropped from victims' accounts.

The domains used in the attack were registered through NameCheap, and used a Panama-based privacy service to conceal the registration information. The hostnames were pointed at a server behind Cloudflare's content delivery and denial-of-service protection network.

Channel Ars Technica