Spam campaign targets Google users with malicious link

May 3 (Reuters) - Alphabet Inc warned its users to beware of emails from known contacts asking them to click on a link to Google Docs after a large number of people turned to social media to complain that their accounts had been hacked.

Google said on Wednesday that it had taken steps to protect users from the attacks by disabling offending accounts and removing malicious pages.

The attack used a relatively novel approach to phishing, a hacking technique designed to trick users into giving away sensitive information, by gaining access to user accounts without needing to obtain their passwords. They did that by getting an already logged-in user to grant access to a malicious application posing as Google Docs.

"This is the future of phishing," said Aaron Higbee, chief technology officer at PhishMe Inc. "It gets attackers to their goal ... without having to go through the pain of putting malware on a device."

He said the hackers had also pointed some users to another site, since taken down, that sought to capture their passwords.

Google said its abuse team "is working to prevent this kind of spoofing from happening again."

7 PHOTOS
How to avoid Facebook phishing scams
See Gallery
How to avoid Facebook phishing scams

1. Exercise common sense

Why is somebody offering you something that costs them money to purchase - and to market - for free? Does there seem to be a legitimate reason for the offer? What value does the party giving away the object receive in return? Does that value warrant giving away the object - or is the offer simply too good to be true? As you probably learned as a child - "don't take candy from strangers."

2. Consider how much is being given away

Legitimate giveaways done for marketing purposes are typically inexpensive items, downloadable materials, or extremely small quantities of expensive items to a small percentage of sweepstakes winners selected from a targeted group; any offer that claims to be giving away large numbers of expensive items should raise a red flag as doing so rarely makes sense from a business standpoint, especially if the offer is being promoted to the general public on social media.

(Adam Gault via Getty Images)

3. Check if a page is verified

Most major businesses are verified (with a white check on a blue circle - some small businesses have similar marks that are white on gray), so if an offer is ostensibly coming from a large business and the page from which it is being posted is not verified, that may signal problems. Not all businesses are verified; if you see a post from a business that is not verified, however, you can search on the business's name and see if there is a verified account for the business - if there is, you know that the unverified account is likely fake.

More From Inc.com: 10 Things You Can Do in Your Daily Life to Improve Your Personal Development

(Nastco)

4. Look at the fine print

Legitimate sweepstakes and giveaways always have some sorts of "fine print" associated with them - if there are no "Offer Details," "Terms and Conditions," or the like, consider a huge red flag to have been raised.

(Reptile8488 via Getty Images)

5. Look for signs of an unprofessional post

Spelling mistakes, grammar mistakes, misuse of idioms, writing that appears to have been auto-translated or written without knowledge of "how people speak," or photos that don't seem to match the post are all red flags. Do you really think a major firm running a marketing campaign doesn't check its content before posting it on Facebook?

(Just One Film via Getty Images)

6. Check the page's age and what appeared on it prior to the questionable post

it is a bad sign if a page was created right before an offer post was made. Of course, criminals know that people look out for page age - so they may create pages and post for a while before using the page for scams. So look out for what content was shared before? Does it make sense coming from the business? Do the comments on those posts make sense? Often there are giveaways on such pages that something is amiss.

(AOL)
HIDE CAPTION
SHOW CAPTION
of
SEE ALL
BACK TO SLIDE

Anybody who granted access to the malicious app unknowingly also gave hackers access to their Google account data including emails, contacts and online documents, according to security experts who reviewed the scheme.

"This is a very serious situation for anybody who is infected because the victims have their accounts controlled by a malicious party," said Justin Cappos, a cyber security professor at NYU Tandon School of Engineering.

Cappos said he received seven of those malicious emails in three hours on Wednesday afternoon, an indication that the hackers were using an automated system to perpetuate the attacks.

He said he did not know the objective, but noted that compromised accounts could be used to reset passwords for online banking accounts or provide access to sensitive financial and personal data.

Reporting by Alastair Sharp and Jim Finkle in Toronto; editing by Grant McCool

Read Full Story