Google says it has stopped a phishing email that reached about a million of its users.
The scam claimed to come from Google Docs – a service that allows people to share and edit documents online.
Users who clicked a link and followed instructions, risked giving the hackers access to their email accounts.
Google said it had stopped the attack “within approximately one hour”, including through “removing fake pages and applications”.
“While contact information was accessed and used by the campaign, our investigations show that no other data was exposed.
There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.”
Google, in an updated statement
During the attack, users were sent a deceptive invitation to edit a Google Doc, with a subject line stating a contact “has shared a document on Google Docs with you”.
If users clicked on the “Open in Docs” button in the email, they were then taken to a real Google-hosted page and asked to allow a seemingly real service, called “Google Docs”, to access their email account data.
By granting permission, users unwittingly allowed hackers to potentially access to their email account, contacts and online documents.
The malware then e-mailed everyone in the victim’s contacts list in order to spread itself.
Google said the spam campaign affected “fewer than 0.1%” of Gmail users. That works out to about one million people affected.
Google is offering advice to concerned users on its Google Docs Twitter account.
For more information about our work, please visit www.safeinwarwickshire.com/cybercrime
Cyber Aware is a cross-government campaign, funded by the National Cyber Security Programme. They aim to measurably and significantly improve the online safety behaviour and confidence of consumers and small businesses (SMEs).
Get Safe Online is the UK’s leading source of factual and easy-to-understand information on online safety. Their website offers advice on how you can protect yourself, your computers and devices, and your business against the likes of fraud, identity theft, viruses and other potential online problems.