Author: John Wilson / Source: Information Security Buzz
Today, cybercriminals launched a highly effective email scam that included a link to a Google Docs document that was in fact a link to a 3rd party app designed to steal information from the recipient. Worse, the email appears to come from someone known to the victim. Based on information from the Agari Trust Network, we saw more than 3,016 organizations compromised that sent 23,838 emails to Agari protected organizations. Based on social media posts and the number of Gmail/G-Suite users, the number of victims is likely unprecedented.
When users click on the Google doc link, the malicious site uses a Google API to prompt the user to give the attackers’ malicious app access to their email account, supposedly to access the document. When users allow access, the malicious app sends the same email to your contacts, spreading itself.
What Should You Do If You Clicked on The Link?
For individual Gmail users:
Go to your Google security setting at https://myaccount.google.com/permissions and remove any apps connected to your account that you don’t recognize. The malicious app was originally called “Google Docs”.
For G-Suite administrators at organizations:
Go to the Google Admin page. You can go to reports>token and run a search for any apps installed on May 3rd and revoke that app. Unfortunately, you have to do this one user at a time if you use the Google admin interface but at least you can filter by the users who installed something…
Click here to read more