A new Google Docs phishing scam just reared its head a few hours ago, and its spreading like wildfire. Google appears to be taking action to stop it, but in the meantime: be super, super wary of Google Doc invites for now. If you fall for this one (and plenty of otherwise eagle-eyed people have already), itll blast out the bait to everyone on your contact list.
Heres what you need to know:
- Clicking the link takes you to a real Google-hosted page, with a list of your Google accounts ready to click
- It asks you to select an account and provide an app called Google Docs yes, they were somehow allowed to name a third-party app Google Docs with account permissions
- As soon as you click the ALLOW button, this not-at-all-actually-Google Docs app now has permission to read your emails and email all your contacts the latter of which itll start doing pretty much immediately, spreading the worm to pretty much everyone youve ever emailed.
This one is super sneaky; pretty much the only way to detect it before falling for it is to click the small Google Docs link on the actual Google-hosted page and notice that the developer info seems off.
Zach Latta of Hack Club grabbed a video of the whole flow so you dont have to test fate to see it for yourself:
How do I know if Ive been hit? How do I fix it?
Check your Google accounts app permissions. There should not be an app called Google Docs there actual Google Docs has access to your account by default. If you see it listed there, remove it by tapping the label and hitting Remove
Update: The Google Docs Twitter account just acknowledged the attack and says theyre working on it, but says not to click on things in the meantime.
Update: Google says this specific attack should be blocked now, and theyre working on preventing similar attacks moving forward.