Let this be a lesson: The bigger the target, the smaller the part that must be compromised to generate chaos.
A staggering 1 million Gmail users — or less than 0.1 percent of the 1 billion people Google says employ the system — were affected by the Google Docs phishing scam that swept through cyberspace Wednesday. Though startling in scope, the potential impact was limited, thanks in part to Google engineers’ quick action. Within an hour after one of the search giant’s employees spotted news of the attack on Reddit, Google techs had disabled the sending accounts, removed phony Google Docs pages, deactivated malicious applications and pushed out updates to Gmail to prevent similar events in the future.
Before the end of the day, Google issued an “all-clear” statement: “While [affected Gmail users’] contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event.”
Google and internet security experts have called the attack “sophisticated,” in part because of the nuanced social engineering techniques the perpetrators used to convince victims the emails were legitimate. Aside from the bizarre “To” address — which, honestly, should’ve been a dead giveaway to anyone who has used email for more than five minutes — the emails looked and behaved much like honest-to-goodness invitations to view and/or edit a collaborative document, sent by a colleague. Journalists, public servants and academics receive multiple such emails daily, and researchers have suggested people in those fields may have been the initial targets. All typically maintain large email-contacts lists, allowing the attackers to spread tentacles in many directions very quickly.
The motive behind the attack has left researchers and security specialists scratching their heads. The phishing emails appear to have been merely an exercise in email address harvesting, as the attack carried no kind of malicious payload. Some have suggested the mechanism may have been incomplete, or perhaps Wednesday’s event was a test run for something bigger and more sinister.
The oddest possibility, although it has been mostly debunked, is the whole thing was part of research project gone awry. Shortly after the storm blew over, a suspicious Twitter account allegedly belonging to “Eugene Pupov” claimed responsibility in a series of shame-faced tweets. Pupov said he created the underlying code as part of a graduate research project, and he accidentally let his pet escape.
The truth behind the episode probably never will be known, but the progress and process of the event stand as a stark warning: Email security, mixed with a hearty dose of common sense, matters.
Attacks like the Google Docs phishing expedition demonstrate why those with large contact lists and those who manage mass-mailings must be especially vigilant for the slightest clues that something just isn’t right. Wednesday’s assault proved relatively harmless, but had the email messages carried a malicious payload, even the tiny percentage of Gmail users affected could’ve represented the vanguard of a size-large disaster.
