Google takes action after phishing hits many Gmail users

Many Gmail users worldwide have become victims of phishing through a convincing fake email with a link to Google Docs. Whoever clicked and logged in gave a third party access to his or her email account. Google has taken action.

The phishing attempt was convincing because the email appeared to have been sent by its own contact and because it looked like an email from Google Docs. When users clicked the link to open the document, they had to log in through Google’s own OAuth. Users who did so gave ‘Google Docs’ full control over their email account. In reality, that was a third-party app posing under that name and using the Google Drive logo.

Hours after many users were affected, Gmail took to Twitter with a statement. Because the phishing email used OAuth, Google was able to block the login page. Anyone who clicks on the phishing email will be redirected to an error page. Google has also revoked permission from all users who signed in, so that the malicious app can no longer access the email accounts. Google refers affected users to its Security Checkup page.

According to Ars Technica, the phishing email was initially sent to a number of reporters, after which it quickly spread. Since users gave full access to their email account, the phishing email was able to forward itself to each victim’s full address book. It is not clear what else the creators of the phishing email have done with the email addresses. Basically, they had access to all emails and contacts on the accounts of the affected users.

ArsTechnica’s description of the phishing technique