One million Google Docs users caught in phishing scam

Google says it has stopped a phishing email that reached about a million of its users, BBC News reports.

The scam claimed to come from Google Docs – a service that allows people to share and edit documents online. Users who clicked a link and followed instructions, risked giving the hackers access to their email accounts.

In a statement released by the company, Google has said it stopped the attack “within approximately one hour” by “removing fake pages and applications”.

“While contact information was accessed and used by the campaign, our investigations show that no other data was exposed,” Google said in an updated statement.

During the attack, users were sent a deceptive invitation to edit a Google Doc, with a subject line stating a contact “has shared a document on Google Docs with you”.

The email address hhhhhhhhhhhhhhhh@mailinator[.]com was also copied in to the message; Mailinator, a free email service provider has denied any involvement.

If users clicked on the “Open in Docs” button in the email, they were then taken to a real Google-hosted page and asked to allow a seemingly real service, called “Google Docs”, to access their email account data.

According to PC World magazine, the scam was more sophisticated than typical phishing attacks, whereby people trick people into handing over their personal information by posing as a reputable company. This is because the hackers bypassed the need to steal people’s login credentials and instead built a third-party app that leveraged Google processes to gain account access.

Google have said the spam campaign affected “fewer than 0.1%” of Gmail users, which works out at roughly one million users affected.

This attack is the latest in a number of phishing attacks that have affected big internet corporations in recent months.