{"id":7521,"date":"2017-05-03T13:11:15","date_gmt":"2017-05-03T21:11:15","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/05\/03\/news-1306\/"},"modified":"2017-05-03T13:11:15","modified_gmt":"2017-05-03T21:11:15","slug":"news-1306","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/05\/03\/news-1306\/","title":{"rendered":"Google Docs App spam goes phishing"},"content":{"rendered":"

Credit to Author: Christopher Boyd| Date: Wed, 03 May 2017 19:51:53 +0000<\/strong><\/p>\n

There’s a very clever phishing scam going around at the moment – originally thought to be targeting journalists<\/a> given the sheer number of them mentioning it on their Twitter feeds, it’s also been slinging its way across unrelated mailboxes<\/a> – from orgs<\/a> to schools\/campuses. This doesn’t mean it didn’t begin with a popped journo mailbox and spread its way out from there or that someone didn’t intentionally send it to a number of journalists of course – but either way, this one has gone viral and not in a “look at the cute cat pic” fashion.<\/p>\n

Here’s how it happens<\/h3>\n

The potential victim receives an email claiming to be from a Mailnator account, which they dispute<\/a>\u00a0is related to their service.<\/p>\n

The email reads as follows:<\/p>\n

\n

Title: [Contact] has shared a document on Google Docs with you<\/strong><\/p>\n

Body: [Contact] has invited you to view the following document<\/strong><\/p>\n<\/blockquote>\n

\"docs<\/a><\/p>\n

Hitting the Google-styled “Open in Docs” button takes the clicker to a genuine Google sign-in page, which is sure to wrong-foot many people:<\/p>\n

\"sign<\/a><\/p>\n

Where this all goes wrong is on the next page, which is where the victim actually gives the app permission to access the account. Somehow, nobody at Google thought of preventing people from calling their apps “Google Docs”.<\/p>\n

\"app<\/a><\/p>\n

\n

Google Docs would like to<\/strong><\/p>\n

Read, send, delete and manage your email<\/strong><\/p>\n

Manage your contacts<\/strong><\/p>\n<\/blockquote>\n

After “Allow” is hit, the spam is then sent on to contacts. While 2FA would normally save you from a phishing attempt, in this case, the victim is willingly giving permission to the app<\/a> so 2FA won’t help – the only solution is to see which apps have been granted permission<\/a> and revoke.<\/p>\n

Here are some of the domains being used for this (all offline at the time of writing, but there may be others):<\/p>\n

\n

Phish domains:
g-cloud[.]pro
docscloud[].win
docscloud[.]download
docscloud[.]info
g-cloud[.]win
g-docs[.]pro
gdocs[.]download
gdocs[.]pro<\/p>\n

\u2014 Andre M. DiMino (@sempersecurus) May 3, 2017<\/a><\/p>\n<\/blockquote>\n

Google is aware<\/a> of the situation and is currently working on it. Meanwhile, Cloudflare leapt into action<\/a> very quickly. We’ll update the post with more information as\u00a0it comes in.<\/p>\n

Christopher Boyd (Thanks to DioDesign<\/a> and\u00a0hrbrmstr<\/a> for <\/em>screens\/data)<\/em><\/p>\n

The post Google Docs App spam goes phishing<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Christopher Boyd| Date: Wed, 03 May 2017 19:51:53 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
There’s a very clever phishing scam going around at the moment involving Google Docs App. Originally thought to be targeting journalists given the sheer number of them mentioning it on their Twitter feeds, it’s also been slinging its way across unrelated mailboxes – from orgs to schools\/campuses.<\/p>\n

Categories: <\/p>\n