Here’s How The Google Docs Scam Managed To Spread Like Wildfire


Many were hit by the “spear phishing” Google Docs scam attack earlier on Wednesday, a situation that left many scratching their heads and then changing their passwords. It was an annoyance that seemed to come out of nowhere, with Buzzfeed calling it the “fastest-spreading spear phishing attacks in history.” The reason as reported by Sheera Frenkel is because the attack itself bypassed most of the security measures that people have been using to protect themselves. The attack seemed to spread at will, using our own trust in Google against us:

“It worked so well because it bypassed what people who have a basic knowledge of security know not to do. Even though it is incredibly simplistic, it was very effective,” said Collin Anderson, an independent cybersecurity researcher who is studying the attack.

If you enable two-step authentication or follow the rules regarding passwords, it did you no good when facing this speedy threat. As reported earlier, everything about the faux links to “Google Docs” seemed perfectly fine. It typically came from people you know, looked official, and even carried the Google name — something that should raise some alarm bells at Google.

The good news, according to Buzzfeed and Electronic Freedom Foundation researcher Cooper Quinton, is that the attack’s speed was also its downfall:

“Other than its wormlike behavior, it’s still unclear what the actual goal of this campaign was,” said Quinton, who added that the campaign was almost “too successful.” So many people clicked on the link, and it so quickly affected people within their address books, that people began tweeting and sharing the viral Google Doc emails within minutes. “It was so successful it probably got shut down way quicker than the attacker had hoped.”

It’s still an example of how our security measures and technological know-how is usually one step behind the “bad guys” out there in the digital realm. Also, another good reason to refresh yourself on internet security. It’s either that or just stop trusting anybody who sends you an email.

(Via Buzzfeed)