Hackers access thousands of e-mail accounts with fake Google Doc link
A large number of Google users have had their accounts hacked after clicking on a Google Docs link that turned out to be malicious.
Users turned to social media to complain, after which Alphabet Inc warned them to beware of emails from known contacts asking them to click on such a link.
Google said on Wednesday that it had taken steps to protect users from the attacks by disabling offending accounts and removing malicious pages.
The attack used a relatively novel approach to phishing, a hacking technique designed to trick users into giving away sensitive information, by gaining access to user accounts without needing to obtain their passwords. They achieved this by getting an already logged-in user to grant access to a malicious application posing as Google Docs.
“This is the future of phishing,” said Aaron Higbee, chief technology officer at PhishMe Inc. “It gets attackers to their goal... without having to go through the pain of putting malware on a device.”
He said the hackers had also pointed some users to another site, since taken down, that sought to capture their passwords.
Google said its abuse team “is working to prevent this kind of spoofing from happening again.”
Anybody who granted access to the malicious app unknowingly also gave hackers access to their Google account data including emails, contacts and online documents, according to security experts who reviewed the scheme.
“This is a very serious situation for anybody who is infected because the victims have their accounts controlled by a malicious party,” said Justin Cappos, a cyber security professor at NYU Tandon School of Engineering.
Cappos said he received seven of those malicious emails in three hours on Wednesday afternoon, an indication that the hackers were using an automated system to perpetuate the attacks.
He said he did not know the objective, but noted that compromised accounts could be used to reset passwords for online banking accounts or provide access to sensitive financial and personal data.
Meanwhile, German government and industry executives have said that cybercrime is expanding at a rapid rate in the country, but the vast majority of attacks against individuals and companies are not reported.
Markus Koths, head of the cybercrime unit at the German Federal Crime Office, told a conference that the number of cybercrimes reported in 2016 nearly doubled to over 82,000, resulting in damages of over €51m (£43m).
He said that number likely represented just a tenth of all such crimes, which some industry groups had said could range into the millions with damage estimates as high as €22.4bn.
The biggest trend driving the increase was the area of “cybercrime as a service”, with growing numbers of hackers offering hacking services and malicious software on the hidden part of the Internet, or “dark net,” Koths said.
Cybercrime as a service “is the backbone of modern cybercrime,” he said.
Earlier this week UK Prime Minister Theresa May cautioned that cyber-security was essential in ensuring that the upcoming election was a fair fight.