Google Docs Phishing – BEWARE!!

An evil phishing worm masquerading as “Google Docs” is roaming the internet. It sends you an e-mail claiming to be from a friend or relative who wants to share a document with you. Clicking on the “Open in Docs” button asked you to log in to Google, then it popped up a familiar OAuth request asking for permission. If you clicked “Allow,” the permissions granted it full control over your e-mail and access to all your contacts. The worm then e-mails everyone in your contacts list before doing god-only-knows what else to your e-mail.

The interesting thing about this is just how convincing it is. The e-mail uses the exact same language as a Google Docs sharing e-mail and the exact same “Open” button. Clicking on the link brings up an authentic Google log-in page, served up from Google’s servers. Then you are presented a real Google OAuth permissions page, also from Google’s servers. The trick is that the app claiming to be “Google Docs” isn’t really Google Docs. The screen showed a third-party app with the name “Google Docs” and a profile picture that matched the Google Docs logo.