Security Researchers Warn Of Massive Malware Campaign Aimed At Google Docs Users

Google Docs icons
Google Docs pretty much revolutionized online collaboration when it came about. Instead of having to install clunky network software packages, or worse, use awkward remote desktop features, you could simply send your coworker or collaborator a web link and the two of you could work on a document simultaneously in your browsers. Google's application package certainly wasn't the first (or last) collaborative-editing software, nor even the first to work this way, but it was by far the most accessible given its price: free!

We're speaking in the past tense because we're talking about Google Docs' public release back in 2012, but it's not as if the application suite has become less popular. Thousands of businesses and millions of individuals rely on Google Docs. Naturally, that makes it even more of a massive, delicious target for bad actors than it already was, and Avanan (a security company under the Check Point umbrella) is warning of exactly such a danger.

The specific exploit in this case is pretty simple, and it makes use of features built into Google Docs intended to speed collaboration. Hackers open a public Google document and then add a comment, mentioning someone with an @. This automatically sends an e-mail to that person's inbox that comes from Google itself and contains the full text of the comment, including dangerous phishing or malware links. To make matters worse, the e-mail of the commentor isn't shown; only the name is included, which makes this feature perfect for impersonation attacks.

An example of an attack e-mail. Image: Avanan (click to enlarge)

Avanan says it has seen the attack used primarily targeting Outlook users, although it could be used for any e-mail address that is used to login to a Google account. The security firm says that the hackers it observed attempting this exploit used over 100 different G-mail accounts to create the fishy comments, likely knowing that the entire account would be creamed once Google got wind of its misdeeds.

Because the e-mail comes directly from Google and directly to a specific user, and because the e-mail doesn't contain any e-mail addresses, this specific exploit punches right through most spam filters and content blockers. That makes it an easy way for bad actors to reach into corporate infrastructures that make use of Google Docs. Avanan says it notified Google of the problem on January 3rd.

To deal with these kinds of attacks, you simply need to follow anti-phishing best practices. Don't click on any links in Google Docs comments, or in the e-mails from Google Docs. As Avanan says, remind your users to practice good "cyber-hygiene, including scrutinizing links and inspecting grammar." Finally, if they're not sure, tell them to contact the legitimate sender and ask whether they intended to share that document.