Google is taking steps to warn and notify Gmail users of suspected phishing attacks after Wednesday’s incident, in which a number of individuals fell victim to a scheme involving a nefarious web app posing as a Google Docs invitation. The invite itself would appear to be sent from one of the user’s Gmail contacts and, when opened, it would automatically distribute itself to each one of their contacts as well.
To combat this, Google has pushed out an update to Gmail for Android that issues a warning every time it recognizes a link in an email that appears to be a forgery. They’re not unlike the suspected site warnings in just about every modern browser, and in similar fashion, you’re allowed to “proceed at your own risk” and ignore them if you please.
While Google says the particular attack that was used earlier in the week has since been disabled, it did uncover a vulnerability within Gmail that still remains. As TrendMicro’s Mark Nunnikhoven notes, the method masqueraded as a legitimate Google URL, which allowed it to float undetected by both Gmail and users alike.
“Unlike a typical phishing attack where the goal is to compromise the user’s system,” Nunnikhoven wrote, “the goal here is to compromise their Google Account.”
According to Nunnikhoven, a similar strategy was used last summer to hack the Democratic National Committee. That instance, believed to have been perpetrated by cyber-espionage group Pawn Storm, also leveraged Google’s OAuth authentication system — a technique that appears to be becoming more common among hackers.
As a result, users will only have to become more discerning and careful in screening emails and links. Google account-based invitations aren’t necessarily completely safe anymore, so always question the sender and nature of any links you receive before you click. It could save you — and all your Gmail contacts — a lot of trouble in the future.
