Security Researchers Warn Of Massive Malware Campaign Aimed At Google Docs Users

Google Docs icons
Google Docs pretty much revolutionized online collaboration when it came about. Instead of having to install clunky network software packages, or worse, use awkward remote desktop features, you could simply send your coworker or collaborator a web link and the two of you could work on a document simultaneously in your browsers. Google’s application package certainly wasn’t the first (or last) collaborative-editing software, nor even the first to work this way, but it was by far the most accessible given its price: free!

We’re speaking in the past tense because we’re talking about Google Docs’ public release back in 2012, but it’s not as if the application suite has become less popular. Thousands of businesses and millions of individuals rely on Google Docs. Naturally, that makes it even more of a massive, delicious target for bad actors than it already was, and Avanan (a security company under the Check Point umbrella) is warning of exactly such a danger.

The specific exploit in this case is pretty simple, and it makes use of features built into Google Docs intended to speed collaboration. Hackers open a public Google document and then add a comment, mentioning someone with an @. This automatically sends an e-mail to that person’s inbox that comes from Google itself and contains the full text of the comment, including dangerous phishing or malware links. To make matters worse, the e-mail of the commentor isn’t shown; only the name is included, which makes this feature perfect for impersonation attacks.
An example of an attack e-mail. Image: Avanan (click to enlarge)

Avanan says it has seen the attack used primarily targeting Outlook users, although it could be used for any e-mail address that is used to login to a Google account. The security firm says that the hackers it observed attempting this exploit used over 100 different G-mail accounts to create the fishy comments, likely knowing that the entire account would be creamed once Google got wind of its misdeeds.

Because the e-mail comes directly from Google and directly to a specific user, and because the e-mail doesn’t contain any e-mail addresses, this specific exploit punches right through most spam filters and content…