secure IT solutions

How the Phishing Attack Worked

A phishing attack utilizing Google Docs hit numerous Gmail accounts this week. The phishing email was sent from compromised Google accounts to other Google accounts for approximately three hours, after which Google intervened directly and stopped all such emails. The email contained an invitation to a Google Doc, and if clicked, the link took users to a fake App that asked for permission to access the user’s Gmail account. The phishing email was convincing enough to have fooled some Google users into giving permission.

What Damage may have Occurred?

The primary damage could be significant or benign depending whether your Gmail account was logged into by the attackers.  The main attack then automatically resent the same attack to all your Gmail contacts (secondary damage being social embarrassment from being phished). However, there was a small potential that the attackers may have logged you’re your compromised Gmail account to study your emails, reset other online account passwords, or change account recovery options on your Gmail account!  There was no known malware in this attack which infected recipient computers.

What to do if you were (or think you may have been) compromised in this attack?

Google acted very quickly to reports of this phishing attack, stopping all related emails within 3 hours of the outset of the attack.  If you think you may have been compromised here are six steps to take as soon as possible (Google recommendations):

  1. Go to your Google account management page.
  2. If you see an app called Google Docs, click on it to opt to revoke permission for the app to access your account.
  3. Then change your password [to something unique], just to be safe.
  4. Enable two-factor authentication on your account as an extra precaution. Two-factor authentication is the option to text a code to a phone number on file for your account so only a person with both your password and your cellphone can access your account.

Neoscope’s 2 Additional Recommendations:

  1. Check your account recovery options to validate hackers did not change those to re-access your account once you changed your password.
  2. Immediately change passwords at sites using the same username/password as used on your Gmail account.

Neoscope knows that in the absence of a password manager, people reuse passwords throughout their online accounts!  If your Gmail account was compromised by this attack, hackers might be trying to log into other accounts you have even after you removed the hackers access to your Gmail account.  One of our favorite password managers – LastPass – once populated up with your online accounts, will tell you which accounts reuse your Gmail credentials.  Change those to unique passwords to eliminate this cybersecurity risk now and in the future.

Event Summary:

This was a simple but highly convincing phishing campaign designed to steal Gmail account credentials.  Before clicking or opening anything always be sure to answer these questions affirmatively:

1)       Was I expecting this email?

2)       Was this email

  1. addressed to me directly by name?
  2. from someone I know?
  3. Is the sending email address 100% correct?  (watch for slight variants like

3)       Is the grammar, spelling, email construction correct?

4)       Does my gut tell me there is absolutely nothing wrong with the email.

If you answer NO to any of those, pick up the phone and call the sender to confirm they sent the message to you on purpose; otherwise, delete the message.

Stay safe online!