The Google Docs Hoax: What Have We Learned?

It has been a couple of weeks since the Google Docs hoax spread across the Internet like wildfire.  What have we learned about this exploit?

Originally this appeared to be a phishing campaign, but phishing emails are spoofed clever replicas.  These emails were the genuine article, and were sent from Google mail servers, from the hijacked Google accounts of people you were likely to know.  This made the exploit difficult to detect, and is one of the reasons it spread so easily.  This is what makes this exploit especially interesting to cybersecurity investigators and reporters.  Lets take a look at some of the important revelations.

  • The code author of this exploit used the Google API (application program interface) to create a web application called “Google Docs.”  Google permitted this use of their API (and branded product name) with out properly vetting the author or the app.
  • The emails that were sent came from actual Google accounts, using Google email servers.  The senders, in most cases, appeared to be someone known to the recipient.
  • When the recipient accepted the invitation by clicking on the blue button, the bogus “Google Docs” application asked for permission to read, send, delete, and manage your email, and manage your contacts.  This took advantage of a weakness in the OAuth open authentication service.
  • If the recipient allowed those permissions, a new round of emails were send to the members of their contact list, thereby spreading the exploit to a new group of targets.
  • This behavior makes this exploit a WORM, not a phishing campaign.  A worm is a virus that spreads itself automatically.  This is why the exploit spread so quickly to so many users, and why many people received more than one or two of these emails.  We have not seen a worm with this level of impact in a very long while, which also makes this attack especially interesting.
  • A person going by the name Eugene Popov took to Twitter to claim responsibility and offer an apology.  Popov claimed the exploit was a project for a graduate degree final at Coventry University.  The University disavowed Popov and said that no one by that name was currently attending or have ever attended the school.
  • Google took immediate action to take down the component parts of the exploit.

We heard from an associate that the end-game was to gain access to Google Wallet in the compromised accounts, but we have not been able to verify that story, and we have not seen it reported anywhere.

Nevertheless, this exploit does open up the affected Google accounts to misuse.  In my particular case, this affects not only my Gmail and Docs accounts, but also my Android smart phone, Google Authenticator 2FA security app, Google Voice, Google+, Google Analytics for my websites, Google Adwords, and other Google service I use. I don’t use Wallet myself, but access to Google Wallet may be possible.

Here are some potential targets of this attack:

  • Business Email Compromise or Email Accout Hijacking, where an email sent from what appears to be the CEO to CFO authorizing payment to a third party
  • Crypto-ransomware or “malware free” ransom attacks.
  • Other malware downloads and installations permitting remote access and control, or adding systems to a bot-net.
  • Identify with other domains a company has been using to share documents.
  • Exfiltration of documents, corporate espionage.
  • A targeted inside information stock trading exploit relying on upcoming M&A or funding activities and information.

What can you do?  If you clicked on the blue button in the email and granted the permission to the bogus app, you should:

  • Log into your Google account
  • Change your password
  • Update the password on all affected devices
  • Check and possibly change your recovery method and questions
  • Check the list of applications that have been granted permission, and remove the fake Google Docs app, and any others you do not recognize.

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.