|
Google said on Wednesday that it had taken steps to protect
users from the attacks by disabling offending accounts and
removing malicious pages.
The attack used a relatively novel approach to phishing, a
hacking technique designed to trick users into giving away
sensitive information, by gaining access to user accounts
without needing to obtain their passwords. They did that by
getting an already logged-in user to grant access to a malicious
application posing as Google Docs.
"This is the future of phishing," said Aaron Higbee, chief
technology officer at PhishMe Inc. "It gets attackers to their
goal ... without having to go through the pain of putting
malware on a device."
He said the hackers had also pointed some users to another site,
since taken down, that sought to capture their passwords.
Google said its abuse team "is working to prevent this kind of
spoofing from happening again."
Anybody who granted access to the malicious app unknowingly also
gave hackers access to their Google account data including
emails, contacts and online documents, according to security
experts who reviewed the scheme.
"This is a very serious situation for anybody who is infected
because the victims have their accounts controlled by a
malicious party," said Justin Cappos, a cyber security professor
at NYU Tandon School of Engineering.
Cappos said he received seven of those malicious emails in three
hours on Wednesday afternoon, an indication that the hackers
were using an automated system to perpetuate the attacks.
He said he did not know the objective, but noted that
compromised accounts could be used to reset passwords for online
banking accounts or provide access to sensitive financial and
personal data.
(Reporting by Alastair Sharp and Jim Finkle in Toronto; editing
by Grant McCool)
[© 2017 Thomson Reuters. All rights
reserved.] Copyright 2017 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
|
