Skip to main content

Google Docs spam is making the rounds, so take heed before you read

Update

5:15 ET From Google:

We have taken action to protect users against an email impersonating Google Docs and have disabled offending accounts. We've removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.

4:00 ET

After looking at a few of these and seeing investigations from others on Twitter, we have a clearer picture of what's happening.

It appears that a third party developer has created a service that uses your Google login to authenticate. Somehow this service was able to use the name Google Docs. Attachments that need you to authorize this service are being sent using previously phished Google accounts, and upon clicking you'll be asked to give access to things like reading and sending an email (so more phishing emails can be sent) as well as access to your account. While this should be a huge red flag to anyone, it's likely working well for the people doing the account phishing.

Google is aware so we expect this to stop being a thing shortly. For now, don't authorize any service and visit your MyAccount page and disconnect access to anything named Google Docs

The original post is below.

Have you checked social media lately? There's a bit of buzz making the rounds about Google Docs spam popping up in people's inboxes. The spam comes as an email attachment from even the most legitimate Google Docs users, including educational institutions and other professional organizations that rely on the document-storing cloud service.

See more
See more

Here's your official public service announcement to please check the attachments before you open them; Check the address of the person who sent it, and maybe even give the person a call to ask if they sincerely meant to send along a PDF.

There are very few details about what the malware contained actually does and where it originated, but we've reached out to Google for more information.

Florence Ion was formerly an editor and columnist at Android Central. She writes about Android-powered devices of all types and explores their usefulness in her everyday life. You can follow her on Twitter or watch her Tuesday nights on All About Android.

18 Comments
  • It gives the hacker access to manage your emails, including sending and deleting emails.
  • Google Screwup of the Day
  • What did Google do? LOL
  • It's what they didn't do. But it looks like they'll get around to it. "our abuse team is working to prevent this kind of spoofing from happening again".
  • No offense, but phishing e-mails happen all the time. Google blocked this within 2 hours of my company noticing. I'd say they did their job.
  • Please explain why malware makes people hate the company and not the people who actually make the malware. That seems stupid to me.
  • Because they're not protecting enough, even though they are trying jus as much as MSFT.. They always attack the top dog
  • This isn't malware. It asks for permission and only works if you say yes. This is why I preach and preach about reading what you agree to!
  • Hi Jerry. Would sandboxing apps like in iOS prevent this from accessing your email?
  • Android apps are sandboxed exactly the same way. The thing here is that this app asked for permission to access your email and you had to click yes to allow it. It depends on people not reading what they agree to, like a lot of phishing attacks do.
  • For shame Google.. For shame
  • Google didn't do anything. You should read the other articles out there to fully understand what happened. This is not something Google did nor was it a vulnerability of Google's security. People need to read before they click.
  • Thank you for a rational response...not typical, knee-jerk, end-user, panic attacks.
  • Only1Z, completely I agree with you, this is not a Google hit. When the recipient blindly clicks along, then answers question, it is their fault they become a taken advantage of. There is not any way Google nor any platform could have known about this phishing unless someone told them. Folks should not fault the platform, instead they need to fault the person doing the phishing. Phishing e-mails are looking for information, not unlike anyone in person asking someone similar questions.
  • P.T. Barnum said it. "There's a sucker born every minute."
  • Well said!
  • My coworker got this and asked me about it. I pointed out that while the top email address was someone she knew, in the To" field, it had the hhhhhh@..... and under the XXXXXX sent you a file, it had the person's name misspelled, in two different spots, even though on the email address on top, it was correct. I told her to send an email to the person (not reply) and ask.
  • +1 for your coworker and yourself for actually looking at a thing before clicking yes.