SAN FRANCISCO – A phishing campaign targeting Gmail users took place Wednesday, prompting Google, the provider of the service, to disable what it called “offending accounts” that initiated the attack.
Like all phishing practices, the attack was carried out by sending an email to Gmail users, with the attacker pretending to be someone they may know. However, unlike other phishing practices, the email was posed as an invitation to join a Google Doc.
Once clicking the Google Doc link in the phishing email, the users were led to a page that goes to Google.com and then was requested to grant permission for the app that the attacker wrote to access users’ Gmail account, thus exposing all of their emails and contacts.
In addition, the app would send emails on the users’ behalf to other targets, Cooper Quintin, a staff technologist at the Electronic Frontier Foundation, was quoted as saying. And it works whether or not the user has changed password or has two-factor authentication enabled.
Google issued a statement, saying it has “disabled offending accounts” and “removed the fake pages,” as its abuse team is working to “prevent this kind of spoofing from happening again.”
There is no immediate report on how many Gmail users have been affected.