A phishing campaign targeting Gmail users took place Wednesday, prompting Google, the provider of the service, to disable what it called "offending accounts" that initiated the attack.
Like all phishing practices, the attack was carried out by sending an email to Gmail users, with the attacker pretending to be someone they may know. However, unlike other phishing practices, the email posed as an invitation to join a Google Doc.
Once they had clicked on the Google Doc link in the email, users were led to Google.com and were then requested to grant permission to an app the attacker used to access users' Gmail accounts, thus exposing all of their emails and contacts.
A phishing campaign targeting Gmail users took place Wednesday, prompting Google, the provider of the service, to disable what it called "offending accounts" that initiated the attack.
Like all phishing practices, the attack was carried out by sending an email to Gmail users, with the attacker pretending to be someone they may know. However, unlike other phishing practices, the email posed as an invitation to join a Google Doc.
Once they had clicked on the Google Doc link in the email, users were led to Google.com and were then requested to grant permission to an app the attacker used to access users' Gmail accounts, thus exposing all of their emails and contacts.
The attack used a relatively novel approach to phishing, a hacking technique designed to trick users into giving away sensitive information, by gaining access to user accounts without needing to obtain their passwords. They did that by getting an already logged-in user to grant access to a malicious application posing as Google Docs.
"This is the future of phishing," said Aaron Higbee, chief technology officer at PhishMe Inc. "It gets attackers to their goal ... without having to go through the pain of putting malware on a device."