Attackers Unleash OAuth Worm via ‘Google Docs’ App

1 Million Google Users May Have Fallen for Fake App Spread via Phishing Emails
Score another one for social engineering: A phishing campaign used a bogus “Google Docs” app to trick people into surrendering full access to their Google accounts and contacts. Before Google squashed the campaign, up to 1 million of its users may have fallen victim.

A malicious app named “Google Docs” by attackers has been making the rounds, attempting to trick Google users into logging in and giving the app access permissions to their account.

The phishing campaign began with an email to victims from an address they likely would have recognized, according to multiple analyses of the attack that have now been posted online by security researchers. But the campaign quickly turned into a worm, as users authorized the bogus app in droves, allowing it to spread to their own contacts.

Although Google neutered the attack shortly after it appeared, the technology giant – believed to boast about 1 billion users – said that about 0.1 percent of its users were affected. In other words, roughly 1 million individuals may have fallen victim to this phishing campaign.

Continue reading