May 3 (Reuters) - Alphabet Inc warned its users to beware of emails from known contacts asking them to click on a link to Google Docs after a large number of people turned to social media to complain that their accounts had been hacked.
Google said on Wednesday that it had taken steps to protect users from the attacks by disabling offending accounts and removing malicious pages.
The attack used a relatively novel approach to phishing, a hacking technique designed to trick users into giving away sensitive information, by gaining access to user accounts without needing to obtain their passwords. They did that by getting an already logged-in user to grant access to a malicious application posing as Google Docs.
"This is the future of phishing," said Aaron Higbee, chief technology officer at PhishMe Inc. "It gets attackers to their goal ... without having to go through the pain of putting malware on a device."
He said the hackers had also pointed some users to another site, since taken down, that sought to capture their passwords.
Google said its abuse team "is working to prevent this kind of spoofing from happening again."
How to avoid Facebook phishing scams
How to avoid Facebook phishing scams
1. Exercise common sense
Why is somebody offering you something that costs them money to purchase - and to market - for free? Does there seem to be a legitimate reason for the offer? What value does the party giving away the object receive in return? Does that value warrant giving away the object - or is the offer simply too good to be true? As you probably learned as a child - "don't take candy from strangers."
2. Consider how much is being given away
Legitimate giveaways done for marketing purposes are typically inexpensive items, downloadable materials, or extremely small quantities of expensive items to a small percentage of sweepstakes winners selected from a targeted group; any offer that claims to be giving away large numbers of expensive items should raise a red flag as doing so rarely makes sense from a business standpoint, especially if the offer is being promoted to the general public on social media.
(Adam Gault via Getty Images)
3. Check if a page is verified
Most major businesses are verified (with a white check on a blue circle - some small businesses have similar marks that are white on gray), so if an offer is ostensibly coming from a large business and the page from which it is being posted is not verified, that may signal problems. Not all businesses are verified; if you see a post from a business that is not verified, however, you can search on the business's name and see if there is a verified account for the business - if there is, you know that the unverified account is likely fake.
Legitimate sweepstakes and giveaways always have some sorts of "fine print" associated with them - if there are no "Offer Details," "Terms and Conditions," or the like, consider a huge red flag to have been raised.
(Reptile8488 via Getty Images)
5. Look for signs of an unprofessional post
Spelling mistakes, grammar mistakes, misuse of idioms, writing that appears to have been auto-translated or written without knowledge of "how people speak," or photos that don't seem to match the post are all red flags. Do you really think a major firm running a marketing campaign doesn't check its content before posting it on Facebook?
(Just One Film via Getty Images)
6. Check the page's age and what appeared on it prior to the questionable post
it is a bad sign if a page was created right before an offer post was made. Of course, criminals know that people look out for page age - so they may create pages and post for a while before using the page for scams. So look out for what content was shared before? Does it make sense coming from the business? Do the comments on those posts make sense? Often there are giveaways on such pages that something is amiss.
Discover More Like This
BACK TO SLIDE
Anybody who granted access to the malicious app unknowingly also gave hackers access to their Google account data including emails, contacts and online documents, according to security experts who reviewed the scheme.
"This is a very serious situation for anybody who is infected because the victims have their accounts controlled by a malicious party," said Justin Cappos, a cyber security professor at NYU Tandon School of Engineering.
Cappos said he received seven of those malicious emails in three hours on Wednesday afternoon, an indication that the hackers were using an automated system to perpetuate the attacks.
He said he did not know the objective, but noted that compromised accounts could be used to reset passwords for online banking accounts or provide access to sensitive financial and personal data.
Reporting by Alastair Sharp and Jim Finkle in Toronto; editing by Grant McCool