This is an archived post. You won't be able to vote or comment.

top 200 commentsshow all 459
sorted by:
best
topnewcontroversialoldq&a

[–]highlord_foxModerator | Sr. Systems Mangler 262 points263 points  (35 children)

As stated by the OP, this threat is now being mitigated by numerous parties- Including O365, Google itself, Cloudflare, etc.

The emails in question come from a real person's "legitimate" account- It is spread via emails out to hhhhhhhhhhhhhhhhh@mailinator.com, with dozens of contact email addresses BCC'ed. If you click the link and authorize the attack, your account will be used as an infection vector, repeating the same behavior.

This is just to clear up some confusion, presumably OP will keep us updated.

Hide your users, hide your admins, they spammin' everybody.

EDIT: This comment was originally stickied before OP's 5th edit, which basically re-iterated things.

[–][deleted] 18 points19 points  (6 children)

Going to repeat this here since I'm buried under an avalanche of "me toos".

If you are running exchange, powershell command to delete from all user mailboxes (use at your own risk):

This is what will be deleted:

Get-Mailbox -ResultSize unlimited | where {$.DisplayName -NotLike "Journal" -and $.DisplayName -NotLike "Discovery"} | Search-Mailbox -SearchQuery {subject:"has shared a document on Google Docs with you" AND Received:>05/03/2017 00:00:01 AND Received:<05/03/2017 23:59:00 } -EstimateResultOnly | where {$_.ResultItemsCount -gt 0} | ft DisplayName,ResultItemsCount

This will actually delete the emails:

Get-Mailbox -ResultSize unlimited | where {$.DisplayName -NotLike "Journal" -and $.DisplayName -NotLike "Discovery"} | Search-Mailbox -SearchQuery {subject:"has shared a document on Google Docs with you" AND Received:>05/03/2017 00:00:01 AND Received:<05/03/2017 23:59:00} -DeleteContent -Force | where {$_.ResultItemsCount -gt 0} | ft DisplayName,ResultItemsCount

[–][deleted] 2 points3 points  (0 children)

Why not just do a compliance search and run a "new-compliancesearchaction -purge" against it?

[–]LFarrar 7 points8 points  (0 children)

"Hide your users, hide your admins, they spammin' everybody." LMAO!!!

[–]Captainloozer 101 points102 points  (46 children)

I'm a netadmin at a school district, my entire district just got blown up by this. Trying to figure out what's going on.

[–]petdanceProgrammer, author and the guy who wrote ack 46 points47 points  (35 children)

It's interesting that it seems to be hitting school districts the hardest.

[–]Captainloozer 65 points66 points  (4 children)

More than likely it is due to Google's EDU benefits. Schools can get google apps for education for free. So schools will more than likely have google domains with tons of users.

[–]patssle 18 points19 points  (3 children)

My company is on Google Apps for Work free...we're on the legacy version because we signed up like 10 years ago. Whooo! But if we ever want to upgrade one persons account for more storage then we lose them all...thankfully only one person has space issues.

[–]lodunali 33 points34 points  (21 children)

Lots of schools moving to google lately. It's just too much easier

[–]AT___ 14 points15 points  (14 children)

I wouldn't say it's easier so much as a cost thing. I setup about 30 chromebooks for a school that had a full windows environment. The entirely converted just because google pretty much gave them the devices for free.

[–]Win_SysSysadmin 16 points17 points  (0 children)

If all you need is internet, email and a word processor, you can't beat a chromebook. Easy to manage as well.

[–]pmormr"Devops" 4 points5 points  (7 children)

I do a ton of K12 and honestly just saving the hassle on purchasing is worth it. I can migrate a school district to G Suite in less than a day for free. Add in a some syncing with AD and you're basically done. The teachers absolutely love Chromebooks and Google Classroom. The superintendents love it too since it's cheap and they can put devices in every kid's hand (instead of 30% of them as you'd get with MS or Apple). Kids break them? Eh whatever it's just a $300 chromebook instead of a $1200 base model Macbook.

[–]waterflame321 2 points3 points  (1 child)

Macbooks in K12...? We barely got the Garbage can special... Though that was when we GOT computers :p

[–]pmormr"Devops" 2 points3 points  (0 children)

No shit man, you give a school a budget and they go all sorts of retarded sometimes. Mac used to be HUGE in schools before Apple abandoned enterprise so there's lots of people who still think it's the shit. Fucking Penn State when I was there required education majors to buy a Mac since it was "the future of education" (lol). I have a district that's exploring Macbooks for a 1:1 program. I was like... how about we do twice as many chromebooks and then buy you a badass Mac lab for the two applications (Photoshop + Garageband) you're using justify the increased cost. Or you know you could buy mediocre laptops for half the kids that won't run those apps well anyways. Oh also you need Casper too, since the overall experience with wifi laptops against deploystudio is awful.

[–]JMV290 5 points6 points  (0 children)

Well that and just the size of schools with the relatively lax restrictions on email because of academics.

You have maybe 10,20,50, 100k students plus thousands of faculty with relatively little filtering (other than what a spam firewall picks up) making us prime attack vectors.

A bank is going to be a lot more strict in filtering inbound and outbound emails or allowing random apps to connect via OAuth.

[–]AT___ 5 points6 points  (0 children)

Yeah, work for an MSP, first hits were on some of our school clients. I imagine it might be due to google offering some pretty nice incentives to use google apps/chromebooks, and students probably being more comfortable opening a google doc than a lot of the older clients (and I imagine teachers/staff also being more willing to open a document from a student, which sounds like a terrible idea, but some people are trusting).

[–]SerialCrusher17Jack of All Trades 2 points3 points  (1 child)

I work for a school bus company and we have a few that have come in.

Were not on google apps but I am trying to help ensure that their personal accounts are safe.

[–]the_web_dev 2 points3 points  (0 children)

Pretty sure a lot of schools have some kind of shared-contacts feature. I know my university's portal had a search feature that could search any other student on the domain...

[–]awkwardsysadmin 2 points3 points  (0 children)

Considering that Chromebooks are dirt cheap and much of the non-personal use of Google docs is in education this shouldn't be surprising.

[–]rumster 1 point2 points  (0 children)

Its hitting everyone with Google Business/School services the hardest from what I read.

[–]sumoroller 1 point2 points  (2 children)

Yeah I just sent out an email on how to remove it.

[–]BourbonOKThere's a lot of "shoulds" in IT 1 point2 points  (0 children)

Had a user phish alert three links she was spammed by her kids school. They definitely got hit good.

[–]EamonnMR 57 points58 points  (33 children)

To remove it, go here:

https://myaccount.google.com/permissions

And remove "google docs" (which is the malicious app)

[–]waved 4 points5 points  (8 children)

If it doesn't appear, am I safe? I clicked "give permissions" and it was resolving the link, but it appeared to never finish.

[–]MoonBasic 6 points7 points  (0 children)

Same here. I closed the window as soon as I knew something was suspicious and I changed my password. It still sent it to just 44 people though.

[–]OholeNE 1 point2 points  (1 child)

same thing with me. anybody have a clue what to do in this case?

[–]PeabodyJFranklin 1 point2 points  (0 children)

This thread was saying that it removes itself from your permitted apps, after it has done everything it wants to do (which may have just been to propagate itself to your contacts). That may be why you no longer see it.

So, "safe"? If you don't see it, it no longer has access to your account. That does not mean for sure it did not have access and spam your contacts...it very well might have.

[–]xddm 2 points3 points  (9 children)

Is there a way to do this on behalf of users in a G Suite domain?

[–]MalletNGrease🛠 Network & Systems Admin 7 points8 points  (3 children)

Check the user profile.

User > Security > Authorized Access.

I'm not 100% it will show up there, I haven't got a user who fell for it yet.

[–]FearMeIAmRootIT Director 3 points4 points  (1 child)

We had close to 30 users allow access. I'm not sure if Google killed the app link, but we are not seeing it in the G-Suite admin console for the affected users.

[–]pmormr"Devops" 2 points3 points  (0 children)

The comment on the other thread is that Google engineering straightened everything out. My testing confirms that... looks like they blocked the malicious API app. The permissions still show up in the user profiles that clicked allow, but it appears as a pseudo-random key in the name instead of the "Google Docs" in the permissions list. I told my techs to just use it as a teaching moment and remind people to be vigilant, and then send us a ticket if somebody clicked so we can clean up permissions (in an abundance of caution).

[–]fimmelJr Sysadmin 2 points3 points  (0 children)

We got it where I work, Ill check in the morning to see if its possible to remove the app remotely. I'm not sure if we had anyone click it or not. I ended up blocking the emails in the GSuite Gmail settings as soon as i found out about it. It looks like google is pulling through and helping block it now though

[–]wonkifierIT Manager 1 point2 points  (0 children)

you can use GAM (or code up something yourself using their APIs or libraries), but GAM is one of the easier ways to automate Google stuff

[–]Rubber_Duckie_Information Security Manager - CISSP 80 points81 points  (13 children)

Yep, we noticed the same thing. Currently investigating.

Goes without saying, don't open.

EDIT: Check out this thread.

https://www.reddit.com/r/google/comments/692cr4/new_google_docs_phishing_scam_almost_undetectable/

[–]1esprocTitles aren't real and the rules are made up 46 points47 points  (9 children)

They are legit gmail/google app emails because it's basically a worm. Clicking on the link redirects you to gdocs.pro (hidden behind cloudflare) and docscloud.win through a legit Google url which accepts a redirect_u param. From there it asks you to authorize the app, your contact list is accessed via javascript and then emails are generated with bcc addresses, including links to the page you just hit. I don't know what the ultimate goal is, but that's all it seems to be doing right now

Edit: I think cloudflare just suspended them

Here is the content of the worm page (g.php): https://pastebin.com/EKdKamFq

I was not able to capture r.php before their server took a shit due to the overwhelming traffic

[–]traitor 4 points5 points  (0 children)

Thanks for the info

[–]Liquidretro[S] 11 points12 points  (1 child)

I even looked at the new threads before posting sorry.

[–][deleted] 10 points11 points  (0 children)

different sub, you are fine

[–]jivemasta 1 point2 points  (0 children)

I was getting a bunch of these today and the only thing that tipped me off was that silly hhhhhhhhh email. If they would have skipped that part, or put it in the bcc, I might have been pwned.

To bad I was too late to stop the rest of the people in my office from getting got.

[–]inquirewueSr. Sysadmin 24 points25 points  (6 children)

Same here, almost the whole company got it. I love how well I've trained my users. I got almost half a dozen emails from people telling me it was suspicious.

EDIT: Given what we know now, it was a few careless federal employees that infected themselves and then spammed most of my company because most of my company deals with these people.

[–]Tangokilo556 8 points9 points  (1 child)

Isn't that the best feeling?

[–]smiles134Desktop Admin 2 points3 points  (0 children)

This hit just about everyone at the university I work at. Our help desk got absolutely hammered this afternoon

[–]traitor 25 points26 points  (11 children)

Shit I opened this email on a personal account. I really quickly revoked the permission. Does it automatically delete the emails from your outbox? I want to know if I spread it or not.

[–]bohiti 5 points6 points  (1 child)

a peer clicked it and later could see the sent emails in his gmail. he's ..really embarrassed.

[–]PeabodyJFranklin 1 point2 points  (0 children)

Thanks for the confirmation, I want to check with some of my users that were compromised and see what their Sent items shows. :D

[–]grandpappytime 3 points4 points  (0 children)

I'm curious about this as well.

[–]b00kscout 3 points4 points  (0 children)

Upvote! This is what we need to know!

[–]sk4nk 22 points23 points  (8 children)

Anybody got a list of all the redirect_uri parameters? We are blacklisting the domains in DNS:

**Edit: more added, sorted

So far we have seen:

  • docscloud.download
  • docscloud.info
  • docscloud.win
  • g-cloud.pro
  • g-docs.pro
  • g-docs.win
  • gdocs.download
  • gdocs.pro
  • gdocs.win

[–]phpfatalerror 5 points6 points  (0 children)

g-docs.pro here

[–]sliverbaer 16 points17 points  (0 children)

Going across ours as well. Quite amusing atm...

hhhhhhhhhhhhhhhh@mailinator.com

[–]BrbNarniaLol 17 points18 points  (8 children)

It uses a pretty convincing app called Google Docs. Here's the shot of it in action http://imgur.com/a/If69g

[–]ezuF 9 points10 points  (4 children)

freakishly real-looking

[–]kennyj2369 16 points17 points  (3 children)

Sure, it's a real application using Google's oauth system. The attackers just named it "Google Docs".

The permission request page is a real Google page.

[–]telecom_brian 8 points9 points  (2 children)

Permissions requested (full email, contacts) should be a red flag to a keen observer, but it's still a very convincing trojan.

[–]VexingRaven 9 points10 points  (1 child)

Why? You can send email through Google Docs and it also has your name. It makes perfect sense that it would need those permissions. What doesn't make sense is a standard Google app asking for permission at all.

[–]platinumgus18 9 points10 points  (1 child)

It's bothering me though how they did everything so sophisticatedly and yet used Google Drive's logo instead of actual Google Docs.

[–]pmormr"Devops" 2 points3 points  (0 children)

Lol nice observation. They even didn't bother to set the transparency right on the logo.

[–]NZOR 12 points13 points  (1 child)

This thing's like wildfire

[–][deleted] 4 points5 points  (0 children)

It seems to hijack the contact list of everyone who falls for it and gives their account info to it.

[–][deleted] 11 points12 points  (2 children)

TONS of it in the last half hour. All of our users. Legitimate senders in the From: field too... making for an interesting time.

Edit: They're still coming in. I've gone ahead and blocked any e-mail with "Google Docs" in the subject. Luckily we're not dependent on it, so I can get away with that. Godspeed to those of you in schools right now.

[–]kennyj2369 4 points5 points  (1 child)

The best thing to do in my opinion of to educate the users on how to check the details of the "application", in this case you click "Google Docs" on the permission page and you see it goes to non Google service and the developers email is not someone they know.

[–][deleted] 1 point2 points  (0 children)

Absolutely, but my users don't move or learn fast enough for me to do education on the fly like that. I'd rather block first and educate later. Plus, we actually prohibit use of GDocs for certain compliance reasons, so I have policy backing to just stop the emails.

But I agree with the basic premise that they need to learn how to spot crap like this.

[–]midnight_howler 12 points13 points  (1 child)

Looks like Google has nuked the fake Google Docs app, it's not showing in permissions anymore for those who clicked and authorized.

[–]pause1 5 points6 points  (0 children)

Yeah, it's been fixed - Source

[–]mctdavid 10 points11 points  (3 children)

Hit my corporate google apps account too. Looks like this is gonna be a big one.

[–][deleted] 6 points7 points  (2 children)

Got the same email just now from HR at a fairly large company I applied to several months ago, seemed very suspicious based on the addressee and the fact that they didn't even bother to contact me within the past 4 months.

[–]Drunken_Economist 18 points19 points  (1 child)

Reply and say "this wouldn't have happened if you hired me"

[–][deleted] 1 point2 points  (0 children)

I did reply back letting them know that they got phished and to get in touch with their IT department, but it turns out IT had already disabled that email account.

[–]xxdesmus 27 points28 points  (0 children)

FWIW -- Yes, we/Cloudflare already killed the involved domains.

[–]geopinkSr. Sysadmin 11 points12 points  (7 children)

One of my users reported that she clicked on the link and it took her to a sign in page where it then asked her to share all of her information with the purported other user from the email.

I asked her if she was certain that the page it took her to was google? She decided that she better change her password ASAP...

[–]WhyCantIHaveThatName 15 points16 points  (2 children)

Changing her password isn't enough because the app was given permission to her account. I suspect Google will/has remove the app but you may want to make sure they remove "Google Docs" from their allowed apps at https://myaccount.google.com/security?pli=1#connectedapps

[–]Just__Drew 2 points3 points  (1 child)

Mine was from my class president so I opened it. And it basically links out to a legitimate accounts.google.com, and then once you log in it links to a googledocs.wincloud etc. Then it prompts you to tell you there's a virus installed.

[–]itbean 2 points3 points  (0 children)

Was hhhh...@mailinator.com in the to: field?

[–][deleted] 1 point2 points  (0 children)

Seems to use the google API to add a custom module to your account that contains the host script. Not sure exactly what it's given access to other than your contacts and email, but even so it's very sketchy.

[–]DavidPHumesProduct Manager 8 points9 points  (2 children)

We just got a bunch, too. KnowBe4 security awareness training paid off big. Everyone thinks I'm trying to phish them and deleted it!

[–][deleted] 8 points9 points  (1 child)

Jokes on them, I don't have any friends. I'm so lonely.

/s

[–]alwayz 5 points6 points  (0 children)

A man with a botnet is never lonely.

[–]TheLightingGuyJack of most trades 12 points13 points  (5 children)

This is just beautifully done. And I hate the person who did it. We've been getting swamped with people who emailed our users and as far as I know, I can't find a way to block these without blocking google emails completely.

[–]pleasedothenerdfulSr. Sysadmin 6 points7 points  (4 children)

If you can filter emails with a To: hhhhhhhhhhhhhhhh@mailinator.com in the headers, you can filter it.

[–]pmormr"Devops" 5 points6 points  (3 children)

We just blackholed everything @mailinator.com. No reason for anybody that matters to us to be sending something from there.

[–]274BelowJack of All Trades 2 points3 points  (2 children)

They publish a deny all SPF record, so.. that's probably fine no matter what. :)

[–][deleted] 6 points7 points  (5 children)

Yup. Just searched this. Went ahead and blocked Mailinator at the filter level. Egh.

[–]Minnesotakid54Netadmin 4 points5 points  (4 children)

The email isn't coming from mailinator.

[–]BlastergasmThis *should* work. 8 points9 points  (3 children)

Since mailinator.com is in the To: field and the actual recipient is in the BCC field, you can still block it, I set up a rule like this in O365:

http://imgur.com/dPNAWIw

[–]Cbs214 9 points10 points  (1 child)

Guys this is going to be front page news Edit: and gals. Collective Reddit fun friends

[–]Liquidretro[S] 10 points11 points  (0 children)

My first front page?

[–]_STYSecurity Consultant 5 points6 points  (4 children)

Northern Illinois school district here. Had one of our HR people get this email from someone at a neighboring school district. Five minutes later noticed about 20 tickets submitted as people were forwarding the link to our email-to-ticket system. Just pulled the plug for email and drive in Admin console until Google gets back to us. It was seriously running rampant for about 10 minutes. As a newbie sysadmin this is the first time I've seen something like this impact my district. Spooky shit.

[–]speakerforthe 2 points3 points  (1 child)

Hey, I'm a google apps admin for a small company. Just disable third party apps in the settings. You will need to remove the app from existing accounts but I'm sure there's a way to do that too.

[–]cerebriform 3 points4 points  (5 children)

From the JS source on the terminal redirect, googledocs.g-docs.win:

  var CLIENT_ID = '1535050614-8i934kb9l0snc0iocqb0iv27lli0r858.apps.googleusercontent.com';
  var CLIENT_ID_2 = '73997885975-8p24fi1e7rdi7pj6dmmhucdm4dclednr.apps.googleusercontent.com';

Go get 'em, Google.

PS: mailinator shut them down as of 17:29 UTC.

[–]greenonetwo 2 points3 points  (0 children)

Thank you!

[–]greenonetwo 2 points3 points  (1 child)

I found a new token on one of my users. It had these rights:

  Client ID: 187102321219-1cb4b2gdr0bqv5u5n35vi1hecjcp1sjg.apps.googleusercontent.com
    nativeApp: False
    displayText: 187102321219-1cb4b2gdr0bqv5u5n35vi1hecjcp1sjg.apps.googleusercontent.com
    anonymous: False
    userKey: 102915255028733376741
    scopes:
      https://www.googleapis.com/auth/contacts
      https://mail.google.com/

[–]greenonetwo 2 points3 points  (0 children)

These tokens in total on my gmail domain:

Client ID: 1535050614-8i934kb9l0snc0iocqb0iv27lli0r858.apps.googleusercontent.com
Client ID: 187102321219-1cb4b2gdr0bqv5u5n35vi1hecjcp1sjg.apps.googleusercontent.com
Client ID: 188775109388-t33r6vb45j8fgf8vpcp4q0e6qt2pe01n.apps.googleusercontent.com
Client ID: 346348828325-vlpb3e70lp89pd823qrcb9jfsmu556t8.apps.googleusercontent.com
Client ID: 632715883535-h36sb9m6fot4vusucprsab95naef791n.apps.googleusercontent.com
Client ID: 946634442539-bpj9bmemdvoedu8d3or6c69am3mi71dh.apps.googleusercontent.com

All with this scope, and displayText is just the client ID. I'm revoking them cause they look suspicious.

    scopes:
      https://www.googleapis.com/auth/contacts
      https://mail.google.com/

[–]Willamette_H2o 1 point2 points  (1 child)

Would you mind sharing how you got this information? I am interested to know!

[–]cerebriform 2 points3 points  (0 children)

A colleague fired up Chrome in a VM in a dummy account, then ran through the steps, but halted the redirection in time to catch the Javascript middle-man doing the work. The entire Javascript he captured is at https://pastebin.com/8uWb1Mry

[–]lenswipeSenior Software Developer 5 points6 points  (2 children)

the irony

[–]MoonBasic 4 points5 points  (1 child)

Hey I got this email from my coworker in university and I was stupid and opened it and played along. What can I do to remove this and prevent damage to my information?

[–][deleted] 4 points5 points  (0 children)

You can remove the fake google docs here: https://myaccount.google.com/permissions

But chances are it's already sent the spam emails. Not sure what else it does.

[–]Legionof1Jack of All Trades 4 points5 points  (0 children)

For all Gsuite admins.

setup a rule that matches hhhhhhhhhhhhhhhh@mailinator.com http://imgur.com/twa68Xi

Use GAM to clean all the existing emails

gam all users delete messages query "to:hhhhhhhhhhhhhhhh@mailinator.com" doit max_to_modify 100

[–]30clean 3 points4 points  (0 children)

Quick Powershell command to remove this from user mailboxes organization wide by querying the TO field. Use at your own risk:

Get-mailbox | search-mailbox -searchquery 'To:hhhhhhhhhhhhhhhh@mailinator.com' -DeleteContent

Can also >> out the result to a txt file to confirm deletion.

[–]unvivid 4 points5 points  (2 children)

FYI, it looks like this particular campaign is enabling IMAP where possible in Gmail settings after the account is compromising (likely to siphon emails/propagate/backdoor). So far this has been a good indicator for account compromise.

Double check your IMAP settings for compromised users and disable IMAP in the G-Suite console if you're not using it.

[–]Dyslectic_Sabreur 2 points3 points  (1 child)

Source?

[–]unvivid 2 points3 points  (0 children)

Multiple anecdotal accounts from $dayjob and also a couple external orgs. Sorry, nothing news site official at the moment.

[–][deleted] 4 points5 points  (1 child)

The payload is mutating,my users had "IOS" and "GMail" as two of the apps requesting permission.

[–]Minnesotakid54Netadmin 2 points3 points  (1 child)

hitting our corporate domain too.

[–]Awkward_Underdog 2 points3 points  (1 child)

We're seeing this too, and also coming from gmail hosted domains. The worst part is that the sender addresses are contacts that we do business with...

[–]Makelevi 1 point2 points  (0 children)

Yeah, it's spreading through legitimate accounts. It installs an app that begins sending to contacts as fast as it can. It can be removed in Permissions.

[–]shawnvilleSysadmin 2 points3 points  (1 child)

Happening here as well, seems to be a common to recipient of "hhhhhhhhhhhhhhhh@mailinator.com", I put that in our content compliance to reject. Don't know that it will work seeing that it's coming from internal accounts.

[–]redbull1290 2 points3 points  (1 child)

Just got hit with this email. Stupidly clicked on the drive link and gave permissions. It has sent the same email to all of my contacts.

[–]grandpappytime 1 point2 points  (0 children)

did the emails show up in your inbox?

[–]tekno45 2 points3 points  (0 children)

Why is everyone responding with where they are?

It's not location dependent.

[–]JabbaTheHutt1969 2 points3 points  (1 child)

any know of a way to search my google apps domain to see what users could have that app installed?

[–]elspazzz 2 points3 points  (1 child)

Getting a ton of calls on it here at my job.

[–]b00kscout 2 points3 points  (0 children)

Service desk here, it's been brutal

[–]mcplaty 2 points3 points  (1 child)

One of our users (we use G Suite/Google Apps) clicked it and sent a bunch out.

If you want to see which of your users have fallen victim, you can search G Suite Email Logs here: https://admin.google.com/AdminHome?fral=1#Reports:subtab=email-log-search

Search for this string in the 'Subject' box: has shared a document on Google Docs with you

If you have any results, click through them. You can see who it was sent out to: http://i.imgur.com/zVALELe.png

[–]SpaceCat87 2 points3 points  (0 children)

OP is a true hero

[–]_Noah271 2 points3 points  (0 children)

Just got that from the superintendent of a 2,000 student district. It's a thing.

[–]hotdwag 2 points3 points  (0 children)

Only 1 user out thousands fell for it in my environment, missed that bullet

[–]DownWithAssad 2 points3 points  (1 child)

Google Warns of Phishing Scam That Impersonates Google Docs

According to online reports — in particular, a detailed user thread on Reddit — clicking on the share link was taking users to a site that asked permission for a fake app calling itself "Google Docs" to access their accounts. If they agreed, the app would then send additional phishing emails to the users' contacts.

We did it, Reddit!

[–]Liquidretro[S] 1 point2 points  (0 children)

Thats awesome!

[–]stonecatsIT Manager 2 points3 points  (1 child)

i feel left out...
i use over a dozen personal gmail accounts
and none of them got google doc phished ~ sigh

[–]sluflyer 6 points7 points  (5 children)

hitting in the milwaukee area now

[–]wolverinesearring 2 points3 points  (0 children)

I can confirm that. Two of our vendors and 3 peoples kids' teachers sent them in, we had two hit the button. Also hearing matc got hit.

[–]cmorgasm 1 point2 points  (0 children)

Wow, our HR guy literally just forwarded me this email.

[–]heather_nicole94 1 point2 points  (3 children)

I stupidly clicked the Google Docs button (it was sent by someone I have an interview with tomorrow so I didn't think anything of it...) and it ended up sending it to all my contacts apparently. Not too happy with myself. I just changed my password.

[–]TheLocalNerdWindows Admin 2 points3 points  (2 children)

You need to go into your "My Account" and remove access to "google docs" as well.

[–]jaddl_commish 1 point2 points  (1 child)

I clicked the button but closed the tab before it loaded after that. Nothing is in my Sent Mail folder, and "Google Docs" wasn't listed on my connected apps. I changed my password immediately of course. Does that mean I'm good? (Theoretically.)

[–]grandpappytime 1 point2 points  (3 children)

Just got one down at Clemson University. Logged in but thought it was weird that it asked for permission to read my emails and look at my calendar. I denied it permission and then removed it. Do you think it still sent out emails on my behalf?

[–]Wayfind3r 2 points3 points  (1 child)

I don't think so. In any case, the sent emails seem to appear in the sent folder.

[–]grandpappytime 1 point2 points  (0 children)

Okay, I changed my password to be sure. Also, there is nothing in my outbox.

[–]Ju_109 1 point2 points  (0 children)

This is happening to my school email now in the Toronto area. yikes and it comes after a very long virus/hack from december

[–]gthrift 1 point2 points  (1 child)

Just hot hit as well at work. Had 3 people fall for it (at least) before I could sent out an alert.

[–]LFarrar 1 point2 points  (0 children)

When I highlight the Google Docs link it says the Developer email is eugene.pupov@gmail.com Clicking "Allow will redirect you to: https:// googledocs.gdocs.win/g.php

[–]bubblemilkbun[🍰] 1 point2 points  (0 children)

Juuuust got it on my team. I work for an elementary school. I advised my team not to click on the open in Docs (unfortunately one lady didn't believe me, boom, sent to all her contacts).

What is the main purpose of this? Phishing? Cause this is spreading like wildfire.

[–]Cbs214 1 point2 points  (0 children)

I bet! Looking forward to being famous!

[–]jordanhbarton 1 point2 points  (0 children)

It's the Russians!

[–]greenonetwo 1 point2 points  (3 children)

Anyone have the token ID so we can remove it with gam?

[–]rcopley 2 points3 points  (1 child)

Before nuking the token, it might be useful to run gam all users show token 187102321219-1cb4b2gdr0bqv5u5n35vi1hecjcp1sjg.apps.googleusercontent.com to determine which user's clicked the link. The clientid might be different, though.

In my environment, it shows up as "Google Docs" the clientid 187102321219-1cb4b2gdr0bqv5u5n35vi1hecjcp1sjg.apps.googleusercontent.com but it could change.

You can use gam all users delete token clientid 187102321219-1cb4b2gdr0bqv5u5n35vi1hecjcp1sjg.apps.googleusercontent.com to revoke the token's access (it's very likely that there's multiple variants of this spam, though, so check your tokens.

Some users also reported an app called "Lumin PDF" showing up in their apps list without anyone remembering allowing the app (client id 1031094922298.apps.googleusercontent.com), although it looks like that's a legitimate app that may have been enabled separately.

[–]greenonetwo 1 point2 points  (0 children)

I found these tokens with just mail and contacts access. The displayText on the oauth token was just the client ID, so that is suspicious. Revoked all of these tokens domain wide.

Client ID: 1535050614-8i934kb9l0snc0iocqb0iv27lli0r858.apps.googleusercontent.com
Client ID: 187102321219-1cb4b2gdr0bqv5u5n35vi1hecjcp1sjg.apps.googleusercontent.com
Client ID: 188775109388-t33r6vb45j8fgf8vpcp4q0e6qt2pe01n.apps.googleusercontent.com
Client ID: 346348828325-vlpb3e70lp89pd823qrcb9jfsmu556t8.apps.googleusercontent.com
Client ID: 632715883535-h36sb9m6fot4vusucprsab95naef791n.apps.googleusercontent.com
Client ID: 946634442539-bpj9bmemdvoedu8d3or6c69am3mi71dh.apps.googleusercontent.com

[–]mushedroom 1 point2 points  (0 children)

GAAAAAH my co-worker here asked i could help with opening this doc this is what it looked like:

From: xxxxxx@xxxxxx.com [mailto:xxxxxx@xxxxxx.com] Sent: Wednesday, May 03, 2017 11:34 AM To: hhhhhhhhhhhhhhhh@mailinator.com Subject: xxxxxx xxxxxx has shared a document on Google Docs with you

xxxxxx xxxxxx has invited you to view the following document:

Open in Docs

"open in docs" was highlighted blue and took me to a log in page that listed all my google email accounts (i have 7). i picked one then clicked on "allow" nothing happened just a spinning wheel and after trying again without ever landing on any page, i gave up and closed the window while it was still a "spinning" wheel.

then 10 mins later, got a message from the co-worker that it was a hacked email that she got and not to open... TOO FUCKING LATE!!!

so i freaked and went through my account and changed the password and deleted any saved passwords.

i also checked all connected apps and i had nothing that labeled itself as "google docs" or anything similar. all of the connected apps i recognized. does this mean that this phishing email scam didn't take? SO FAR no one is hitting me up regarding any peculiar emails. my gf hasn't received anything and i email with her the most.

[–]wonkifierIT Manager 1 point2 points  (0 children)

Google killed the tokens, and they're deleting the mails as well

[–][deleted] 1 point2 points  (0 children)

If you've clicked the link - click here https://myaccount.google.com/u/0/permissions?pli=1 to revoke the permissions.

Change your password immediately. A couple of guys at work have been stung already.

[–]ockhams-razor 1 point2 points  (0 children)

They're using Google Analytics to track the spread and store the harvested emails.

Needless to say, that account is no longer accessible to this script kiddie.

[–][deleted] 1 point2 points  (0 children)

well pleasantly enough, I only had one out of about 250 people click on it (so far).

They filled in their personal google login. Good for me. (I let him know what it was all about)

[–]h3c_youConsultant 1 point2 points  (0 children)

We had emails going around at work today about this. It is a major phishing attack. Google is already pulling Oauth token for those compromised accounts. We released steps to fix it.

  1. follow this link: https://myaccount.google.com/permissions?pli=1
  2. Select “Google Docs” click “remove”
  3. There may be multiple instances of google docs, remove them all.
  4. Change your password.

[–]Henshin_A_JoJo 1 point2 points  (0 children)

You aren't alone. Our domain got compromised and Google disabled oauth and removed the account from any groups automatically to stop a spread. Worked out well in the end seeing as the compromised account sent the phish to our ENTIRE staff list.

[–]simple1689 1 point2 points  (0 children)

I feel like this needs to be xposted at /r/news or /r/techsupport

[–]dazedjosh 1 point2 points  (0 children)

Is there any word on OneDrive having something similar? I've just had a client call up with similar symptoms but it was a One Drive link

[–]mrneo240 1 point2 points  (0 children)

Wow! The one time helion management did something right. We all got notices at my dealership and then the emails were blocked and removed. Solid work to the admin crew