The sophisticated phishing scam spread across the web on Wednesday afternoon, tricking people into giving up access to their Google accounts. Some people, like Reddit user JakeSteam, said the scam is so sophisticated it’s virtually undetectable.
After offering some obvious advice — don’t click on the link — Google tweeted it had wrestled the situation under control.
Phishing, of course, is nothing new and Google users get targeted often. In 2014, a similar scam targeted Docs and Drive users. The current ruse appears to have targeted journalists and educators, according to reports.
This scheme is different because it focuses on stealing access to your account rather than stealing your username and password. The attacker created a rogue app made to look like Google Docs, which unsuspecting victims would grant permission to.
Granting permission to a Gmail account is the “equivalent to having access to a username and password,” Liam O’Murchu, director of Symantec’s Security Technology and Response group said in an email. That means that victims could have been phished without even typing in their password.
Once the scheme tricked its victims, it would send emails to that person’s contact list, in hopes of spreading itself. Google has since disabled the fake app.
The scam sent potential victims a link that appeared to be a Google Doc from someone they know and then directed them to Google’s account selection screen, JakeSteam wrote. The emails looked legit but are addressed to “firstname.lastname@example.org.”
Mailinator tweeted that it wasn’t responsible for sending the emails.