In recent weeks, you may have gotten an email from a family member or colleague saying that they shared a Google Docs file with you. Millions have received it, and you could have been one of them.
If you made the mistake of clicking on the link, your email archive and your contact list could be compromised and the same dangerous message could be heading to them.
What does the email look like?
The email looks just like a regular invitation to view a Google document. It can even come from emails that may be familiar to you. The one common denominator is the email addressed to a throwaway account, (email@example.com.) While the victims are BCC’d.
Some of the telltale different signs are that the real E-Mail will have the name of Google document, as well as the word “View” will be in bold.
Another way to tell if the email is fake is when you click on the drop down near Google Docs. The Developer info is not Google.
What if I Clicked?
Clicking on “Open in Docs” will take you to what looks like a legitimate Google webpage, asking you to grant Google Docs permission to your gmail account. Clicking “Allow” gives the developer access to your account and everything on it.
This is not the legitimate Google Docs, this was created by a hacker looking to get information from your Google account.
What Does The Worm Do?
The Attacker is hoping you will be tricked into creating a legitimate OAuth connection so they can go into your account.
With that connection in place they can access your email archive, your contact lists, and spam out copies of the message to people in your contacts.
Nothing malicious has been found yet, but as the old saying goes, “It’s better to be safe than sorry.”
If you did not authorize the app, your account should be fine, and if you did the best thing you can do is change your password and backup anything important on your account to a different place.
Thankfully, Google has responded quickly to this worm and has blocked the application from creating new applications.
The best thing to remember from this is to never accept OAuth token requests from an unrequested service or person and regularly check who has access to your accounts through your settings. If you see a suspicious app connection, revoke it immediately.