On Wednesday, a huge phishing scam emerged and started spreading around like nobody's business but Google has managed to fix it.
The scam itself worked by allowing a sophisticated attacker to obtain contact lists and access Gmail accounts to spread spam messages widely. Users were sent what looked like a normal Google Docs invite by what appeared to be a familiar contact, but clicking the link in the email would give a third party app called 'Google Docs' permission to read the user's emails and email all their contacts – which is how the email would spread.
However, in an impressive feat of swift effectiveness, Google confirmed that it had stopped the phishing campaign "within an hour". “We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts,” said a Google spokesperson to The Verge. “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again.”
It is not known how the attacker or attackers were able to execute this sort of widespread campaign with such speed, with the only thing apparent being a weakness that may or may not have existed for some time. Regardless of how it all happened. Google has fixed the problem and is undertaking the task of altering its systems in order to stop developers from creating fake and harmful versions of Google's own products and services.
A statement was issued by Google in the small hours of Thursday Morning assuring users that contact information was the only thing that had been accessed by the hackers, and that no further action is required. The statement been published below in its entirety:
We realise people are concerned about their Google accounts, and we're now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1 per cent of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.