The scam should now be resolved, good job on the speedy resolution Google!
We have taken action to protect users against an email impersonating Google Docs & have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail. (source)
I received a phishing email today, and very nearly fell for it. I'll go through the steps here:
Uses the existing Google login system
Is only detectable as fake if you happen to click "Google Docs" whilst granting permission
Replicates itself by sending itself to all your contacts
Bypasses any 2 factor authentication / login alerts
Will send scam emails to everyone you have ever emailed
Google are investigating this as we speak.
How do I know if I've been affected?
If you clicked "Allow", you've been hit. If you didn't click the link, closed the tab first, or pressed deny, you're okay! The app may have removed itself from your account, and may have deleted the sent emails.
What do I do if I've been affected?
Revoke access to "Google Docs" immediately. It may now have a name ending in apps.googleusercontent.com since Google removed it. The real one doesn't need access. Try and see if your account has sent any spam emails, and send a followup email linking to this post / with your own advice if so. Inform whoever sent you the email about the spam emails, and that their account is compromised.
All emails have been accessed, and the spam forwarded to all of your contacts. This means they could have all been extracted for reading later. Additionally, password reset emails could have been sent for other services using the infected email address.
This may be the payload, so it may just self replicate, and not do anything nastier. This is not at all confirmed, however, so assume the worst until an official Google statement.
I'm a G Suite sysadmin, what do I do?
The following steps by/u/banden may help, but I can't verify they'll prevent it.
TheShoxter on May 4th, 2017 at 01:49 UTC »
This was hitting everyone in my corporate email, every one and IT was flipping out. Crazy how fast and deep these can spread.
GringoDeMaio on May 3rd, 2017 at 23:48 UTC »
Damn I work for a pretty small-to-midsized ISP and occasionally see an "oh shit let's fix this right now" event. Usually involves a dozen people on a conference bridge yammering about it while one egghead (I use the term lovingly) actually hammers out the solution.
The idea of the same thing happening at Google, resolving a problem with gmail, just kinda blows my mind. Like obviously this happens at companies large and small, but the scope of it, and the attendant panic and eventual relief, is just beyond what I can comprehend.
_BindersFullOfWomen_ on May 3rd, 2017 at 21:38 UTC »
To clarify, Google deactivated the spammers account. The method/strategy the spammer used is still available and can still be used by future spammers.