Technologist - The FindLaw Legal Technology Blog

How Google Shut Down Phishing Scam

Fending off hackers can be like fixing a leaky roof -- as soon as you patch one, another spot springs a leak.

Google managed to recover from a big one last year, then quickly sealed off another last week. The company says it shut down the Google Doc phishing scam in less than an hour.

"Fewer than 0.1 percent of our users were affected by this attack, and we have taken steps to re-secure affected accounts," said Mark Risher, director of counter-abuse technology for the company.

With about 1 billion Gmail users, that's about 1 million people whose accounts were compromised. A far cry from the 1.5 billion Yahoo users who were hacked, but still ...

How It Worked

Google said the victims received an email that appeared to be an invite to a Google Doc from one of their contacts. When users clicked the link, it directed them to the hacker's application and asked for permission as if to gain access to the Google Doc.

But in reality, the authorization granted access to the users' accounts. Those who granted permission basically opened the door. Unlike other phishing attacks, the Google Doc scam did not require users to open a file or download anything.

ArsTechnica reported that researchers had flagged the potential spoofing problem earlier -- at least one as early as October 2011. It has more to do with the permissions interface than a vulnerability in the system, according to the report.

"I don't think Google fully understood how severely this could be abused, but certainly hackers did," security researcher Greg Carson told the blogsite.

Cost of Phishing

While Google caught the phishing attack quickly this time, last year it took a bit longer. According to reports, a swindler used forged email, invoices and corporate stamps to collect more than $100 million from Google and Facebook.

"Over a two-year span, the corporate imposter convinced accounting departments at the two tech companies to make transfers worth tens of millions of dollars," according to Forbes. "By the time the firms figured out what was going on, (the hacker) had coaxed out over $100 million in payments, which he promptly stashed in bank accounts across Eastern Europe."

American businesses lose billions of dollars a year to phishermen, according to the FBI. From January 2015 through December 2016 alone, there was an increase of 2,370% in losses.

Related Resources: