On Wednesday afternoon, countless unsuspecting email users—including reporters from BuzzFeed, Hearst, New York Magazine, Vice, as well as your friends here at Gizmodo Media—received some seemingly legit invites to view a Google Docs file. The email doesn’t look quite right, but anyone who clicks through arrives at a login screen that looks almost indistinguishable from the same screen you’d see if someone actually invited you to a Google Doc. It’s the one with a list of your Google Accounts, and it even matches Google’s recent redesign.
What’s even scarier than that, the page has a very real-looking Google.com URL and clicking on a link to Google Docs appears to confirm the page’s authenticity. It gets worse. That page invites to choose which account you’d like to use to view the Google Doc, and then you’re taken to a page that invites you to grant access to your Google Account.
If you get an email that looks like the one above, delete it immediately. There’s a good chance that it will appear to have been sent by someone with a legit-looking email address. One Gizmodo reader even shared an email that had come from a .gov email address. This kind of thing is easy to spoof, however.
There are a couple telltale signs that this email is bullshit. It’s addressed to “hhhhhhhhhhhhhh,” and the email itself doesn’t look quite like the ones that Google sends. That, and the fact that countless members of the media are reporting on Twitter that the email is a phishing scam. (The EFF told Joe Bernstein from BuzzFeed, where some of the earliest emails were spotted, that the attack was not intended to deliver malware but rather hijack credentials, another term for phishing.)
It’s still unclear who’s behind this attack, and we might never know. If we learn anything new, we’ll update this post. We’ve reached out to Google for more information on the attack and will update this post if we hear back.
In the meantime, be safe out there. And maybe don’t click on any Google Doc links for the rest of the week.
If you do get one and open it, here’s what to do:
For those still unscathed, here are a few tips to keep you nice and safe. As for all you innocent bystanders out there panicking after clicking on one of the links, don’t freak out. Take a deep breath and read this carefully. We’ll get through this together.
First, what is it?
People have been reporting getting emails from a known contact seeking to share a Google Doc with them. After clicking the invite and signing into what appears to be an authentic Google sign-in page, the bug then spreads to that person’s contacts…
How can you tell?
One obvious sign that you’ve been targeted is if the email is addressed to something like, “firstname.lastname@example.org.” Also, use your judgment. Maybe there is something included in the email that you know is uncharacteristic of that known contact.
How do I avoid being hit?
The answer is simple: Don’t click on any Google Doc invitations for the time being — not from your mother, your father, no one. Again, a lot is still not known about this bug, and how it is affecting users, media reports have said.
What do I do if I clicked on the link?
First, don’t beat yourself up, it isn’t a reflection on you. Second, immediately change your password.
Reports are also advising users to go through their Gmail Account Recovery security checklist.
The good news is, it wasn’t malware, which is often much more harmful…
To recap, phishing attacks can usually be thwarted by the user changing his or her password. But make sure to use some numbers and symbols in there. And make sure to do it soon.