University of Wisconsin–Madison
Phishing hooks with @ symbols.

How to fix the Google Doc phishing scam

On Wednesday, May 3, a well-crafted phishing scam started appearing in UW Madison inboxes, and elsewhere on the internet. The phish appears to be an invitation to view a Google Doc. The “From” address may be familiar to the recipient, however the “To” address is always hhhhhhhhhhhhhhhh@mailinator.com.

A button graphic uses Google’s blue and white color scheme and font to imply that clicking will open a file in Google Docs. The recipient’s address appears in the “Bcc:” field.

Example of the Google Docs phishing email
Example of the Google Docs phishing email, compared to a legitimate Google Doc email

What to do

If you see an email like this, the best advice is to delete or ignore it.

Oops, I clicked it

If you already clicked the “Open in Docs” button and accepted the permissions changes, go to https://myaccount.google.com/u/0/permissions?pli=1 to revoke permissions. The fake Google Docs app will have a Google Drive icon.

What is being done about it?

The UW-Madison Office of Cybersecurity has blocked a list of DNS names related to this phishing email.

DoIT’s Google Apps and WiscMail teams are both aware of the issue and working on ways to block it in their respective services.

Google is aware of the issue and taking strong actions, including automatically finding and removing the fake Google Docs app from Google accounts.

What does the fake email do?

Clicking the link (“Open in Docs” button) prompts the user to authenticate with their Google credentials. It also prompts the user to grant permission to a new app that pretends to be Google Docs. If allowed, the app will access the user’s Contacts list and attempt to send the phish to all contacts listed.

The user’s Google credentials are not compromised by granting permission to the fake Google Docs app. Changing passwords is not necessary, although it certainly won’t hurt anything either.

How to protect yourself

Find out more about how to spot phishing emails and other online threats, and report any phishing attempts to abuse@wisc.edu.

Sources: isc.sans.edu, vox.com, arstechnica.com, reddit.com