
Ask HN: Google Doc email virus? - eof
We just received multiple &quot;google doc shares&quot; that seemed sketchy and were not sent by the claimed sender.<p>They came from different companies that have no connection to each other, I assume others are seeing them too right about now.  Anyone know whats up?
======
ademarre
I reported this attack vector to Google back in 2012. They awarded a modest
bounty, and then a few months later I heard this:

> _" We're deploying some abuse detection and reactive measures to deal with
> impostors that might try to abuse this sort of attack. Given this, we do not
> intend to perform validation that the URL matches the branding
> information."_

That last part was in reference to one of my proposed mitigations, which they
chose not to implement.

Here's the discussion on the IETF OAuth WG mailing list from that same time
period: [https://www.ietf.org/mail-
archive/web/oauth/current/msg07625...](https://www.ietf.org/mail-
archive/web/oauth/current/msg07625.html)

~~~
paulddraper
Unicode domain names, Google OAuth phishing...changing my passwords every 30
days is looking less and less important.

It's sad we can't seem to provide good, usable secure software.

~~~
bo1024
> changing my passwords every 30 days is looking less and less important.

Sidenote: I don't think that was ever a good idea, unless you think you were
likely to type your password into phishing sites in the last month.

~~~
paulddraper
Sadly, PCI compliance requirements believe otherwise :(

~~~
cortesoft
The PCI requirement is to change passwords every 90 days.

~~~
AstralStorm
And is patently silly, forcing the requirement to decrypt rarely used private
keys every 90 days.

The requirement should depend on password and hash strength, not some
arbitrary decision.

PCI does not recommend employing password entropy checkers either.

90 day password can be weak while passing all the requirements.

~~~
Consultant32452
Everywhere I've worked appears to have their own way of circumventing the
security of PCI requirements. On a military base I worked everyone used an
easily recognizable pattern on the keyboard. Another place was something like
[employer][symbol][123 or 321]. All too often people use the same pattern that
the IT team uses when they reset your password. So if the IT team typically
sets your password to WhyCombin@tor1, then everyone's going to cycle through
1-10.

Making people reset their password every 90 days probably causes more problems
than it solves and incentivizes more easily guessable passwords.

------
mailinatorguy
Mailinator here:

Yes, we sent the inbox to a blackhole but keep in mind, Mailinator does not
and can not actually "Send" any email.

It's a receive-only service. As always, any email "from" @mailinator.com has
had it's reply-to forged (which is pretty trivial).

Also - even before we blackholed the email, it's unlikely any email in that
inbox (i.e. hhhh..) was read. Each box has a 50 email limit (FIFO) which was
immediately overwhelmed. You couldn't click fast enough between seeing the
inbox list and clicking an email.

Mailinator is simply a "receiver" in all of this but we have no indication our
servers were otherwise involved.

~~~
welder
> Each box has a 50 email limit (FIFO) which was immediately overwhelmed.

That makes me think the malicious author didn't expect this to spread as wide
as it did.

~~~
mailinatorguy
It's my guess that Mailinator is extremely irrelevant to their plan.

They planned to propagate via BCC but they needed a "To:" address - preferably
one that didn't bounce.

So they hit the "h" key awhile, then added @mailinator.com

~~~
meowface
Would it have made a difference if they made the "To:" a non-existent address?
Would a bounce also prevent delivery to BCC recipients?

~~~
AstralStorm
Technically, they have to defeat greylisting and server validity checks anyway
to get mails accepted to most modern mail servers.

------
jakob223
EDIT: According to a Google representative on the reddit thread, this
application is now blocked. If your account was affected, you no longer need
to do anything.

If you fell for this, changing your password is not the right solution - you
want to log into your google account and remove permissions from the
application.

[https://myaccount.google.com/permissions?pli=1](https://myaccount.google.com/permissions?pli=1)
should show a list of apps connected to your account.

Also, if you fell for this, you sent a bunch of emails to people like the one
you received, so maybe tell them not to click.

~~~
sudom82
Source code of the worm:
[https://hastebin.com/gubegaqusi.xml](https://hastebin.com/gubegaqusi.xml)

Pretty much what you'd expect.

Edit: This isn't the full source code. There was another PHP file visible on
their website that unfortunately isn't visible anymore.

~~~
mintplant
Heh, they're using Google Analytics to track its spread. That's a nice touch.

~~~
taf2
It's possible to send any data we want to their Analytics tracker... perhaps
we send them some spam?

~~~
soared
Where is ilovevitaly when you need him?!

------
hemancuso
It's a pretty nasty one, since it uses their standard OAuth flow with an app
"Google Docs" to have users grant full access to their email and contacts.

1\. I can't believe Google doesn't have basic filters to disallow developers
from registering an app named "Google Docs"

2\. Perhaps there should be some more validation/limits associated with
allowing apps on the platform that can gain full access to email. A secure
email account is the One True Source of authentication in the digital world.
Google should make it way harder for people to get tricked into granting full
access to their inbox.

~~~
the_mitsuhiko
Is it actually Google or is there some unicode trickery going on?

~~~
hemancuso
Doesn't look like a unicode trick on the app-strings I'm getting

~~~
oh_sigh
Is there a database of homoglyphs for common fonts that one could use to write
a visual string matching algorithm?

~~~
mintplant
[http://www.unicode.org/Public/security/8.0.0/confusables.txt](http://www.unicode.org/Public/security/8.0.0/confusables.txt)

[https://github.com/codebox/homoglyph](https://github.com/codebox/homoglyph)

[http://homoglyphs.net/](http://homoglyphs.net/)

------
stevewilhelm
Links of interest:

[https://www.google.com/appsstatus#hl=en&v=issue&sid=4&iid=c7...](https://www.google.com/appsstatus#hl=en&v=issue&sid=4&iid=c708d68b1884a629816e361895c125a5)

[https://www.reddit.com/r/google/comments/692cr4/new_google_d...](https://www.reddit.com/r/google/comments/692cr4/new_google_docs_phishing_scam_almost_undetectable/?st=j29dyxal&sh=34df3bf4)

[https://www.theverge.com/2017/5/3/15534768/google-docs-
phish...](https://www.theverge.com/2017/5/3/15534768/google-docs-phishing-
attack-share-this-document-with-you-spam)

~~~
et-al
From the reddit link it looks like Google has fixed it:

> _Googler here -- I 'm escalating to the correct engineering and product
> teams now._

> _Edit: This is now resolved. Less than a half-hour after escalation, wow!
> =)_

> _Final edit: problem is resolved. I clicked the link and got an "oauth
> client disabled" message. Not pretty, but at least you won't get phished._

~~~
TorKlingberg
"Fixed" in the sense that this app is now blocked. Is there anything to stop
an other worm like this, with a different name?

~~~
Spoom
I'm sure they'll do a post-mortem and come up with additional protections,
they just take longer than the immediate fix.

------
btym
I love how simple this worm is. They haven't exploited any security holes
(other that looking like Docs), it literally just _asks_ for full access to
your email address.

~~~
ehsankia
Yeah, I read articles calling it sophisticated. This is a super simple and
straight forward worm. Disguise yourself as a known app and ask for more
permission than you should. IDN exploits [0] and attachment faking [1] are
more sophisticated if anything.

[0] [https://www.wordfence.com/blog/2017/04/chrome-firefox-
unicod...](https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-
phishing/)

[1] [http://fortune.com/2017/01/18/google-gmail-scam-
phishing/](http://fortune.com/2017/01/18/google-gmail-scam-phishing/)

~~~
shif
It's sophisticated because of it's simplicity and effectiveness.

~~~
chii
Technical simplicity, but sophisticated social engineering. Guess what the
weakest link is between apps? It sure isnt the tech.

------
aub3bhat
Its a malicious OAuth client (multiple clients?) that calls itself "Google
Docs" and fooled user into giving access to read emails, while pretending to
show as if it was needed by GDocs itself to access a Document, enabling launch
of among other things password resets on other websites.

the root problem seems to be that the identity of OAuth Servers is not
authenticated/clearly shown, i.e. a malicious app can claim that its name is
Google Docs even though it is not endorsed by Google.

IMPORTANT NOTE: If you are running any website that has "Reset my password" it
might be used by attacker, since even though the attacker does not have access
to password, the attacker had access to email inbox. Thus the email password
reset flow will allow attacker to compromise other websites that rely on Gmail
account for password resets.

[https://twitter.com/zachlatta/status/859843151757955072?ref_...](https://twitter.com/zachlatta/status/859843151757955072?ref_src=twsrc%5Etfw&ref_url=https%3A%2F%2Ftwitter.com%2Fzachlatta%2Fstatus%2F859843151757955072)

[https://www.dropbox.com/s/l024nggmcizub40/Screenshot%202017-...](https://www.dropbox.com/s/l024nggmcizub40/Screenshot%202017-05-03%2016.01.26.png?dl=0)

------
philip1209
Wow, Hired.com appears to have emailed all of their users about this. Must be
spreadinq quickly. Note that they advise compromised users to change their
password - which other comments indicate does not solve the issue.

Below is the Hired notification.

\---

Important: Email Phishing Alert

Hi <first name>,

It has come to our attention that some of our users may have been hit with a
Google Docs phishing scam. It appears that this scam has been spreading
throughout the internet today, and is not isolated to Hired or our customers
and candidates. If you want more information, you can read about it here[1] or
here[2].

If you receive a Hired email that says that someone from Hired has shared a
Google Doc with you, please validate with the sender before clicking the link
or doing anything else.

If you think your account may have been compromised, be sure to change your
password immediately.

We apologize for this interruption to your day. Please let us know if you have
any questions.

Thanks, The Hired team

[1] [https://www.theverge.com/2017/5/3/15534768/google-docs-
phish...](https://www.theverge.com/2017/5/3/15534768/google-docs-phishing-
attack-share-this-document-with-you-spam)

[2] [https://gizmodo.com/a-huge-and-dangerously-convincing-
google...](https://gizmodo.com/a-huge-and-dangerously-convincing-google-docs-
phishin-1794888973)

------
yurisagalov
Looks like this is fairly widespread.

This is what the attack actually looks like:
[https://twitter.com/zachlatta/status/859843151757955072](https://twitter.com/zachlatta/status/859843151757955072)

~~~
maxerickson
It managed to hit regional mainstream media here (like 10 minutes ago).

I guess that probably just means someone working there got it though.

------
sudom82
Source code of the worm:
[https://pastebin.com/raw/EKdKamFq](https://pastebin.com/raw/EKdKamFq)

Edit: How I got this:

Someone on reddit went to their site when it wasn't down, and downloaded the
files linked in the page's HTML. I just posted it here.

This isn't the full source code. There was another PHP file visible on their
website that unfortunately isn't visible anymore.

~~~
jameslk
I like how the code has Javadoc comments, in case other developers need to
maintain the worm or use its public API.

~~~
ben_jones
That's gotta be a copy-paste job. If someone was actually cheeky enough to
comment their malware they would've left jokes, puns, etc.

~~~
jshmrsn
Indeed, those comments come from a Google Analytics quick start:
[https://github.com/chriskwan/gmailytics/blob/master/quicksta...](https://github.com/chriskwan/gmailytics/blob/master/quickstart.html)

------
coleca
Considering how easy it would be to filter this out, why has Google allowed it
to continue spreading within their own email network? Obviously they have no
control over what goes on outside of Gmail/G Suite, but inside their own
network, they should be able to setup a basic filter to stop anything TO:
hhhhhhh@mailinator or whatever it is. I received this email (but did not click
the link) in my Gmail account from another Gmail user, so it never left the
Google network. From the reports here it looks like it is still spreading even
though Google disabled the app.

With all of Google's machine learning expertise, how is it that this got past
all of their SPAM detectors? It took me 2 seconds to hover over the link and
see it was a crazy link that ended up at a domain called google.pro. Really?
One of the world's largest and most advanced email systems couldn't figure
that out?

~~~
bitmapbrother
It was shut down within 30 minutes.

~~~
welder
No it was more like hours from when I reported it and when the app was finally
blocked.

~~~
yuhong
Reddit post:
[https://www.reddit.com/r/google/comments/692cr4/new_google_d...](https://www.reddit.com/r/google/comments/692cr4/new_google_docs_phishing_scam_almost_undetectable/)
(you can view complete timestamps by hovering.)

------
alexlongterm
We wrote a guide for google suite admins on how to lock down their domain.
Oauth and phishing are major threats and google could do much more here
[https://medium.com/@longtermsec/more-tips-for-securing-
your-...](https://medium.com/@longtermsec/more-tips-for-securing-your-g-
suite-4d617bd04bc8)

------
jmcdiesel
I work for a fortune 500 (wont disclose) but we just shut off email for our
entire organization due to this...

------
rst
SANS writeup:
[https://isc.sans.edu/diary/22372](https://isc.sans.edu/diary/22372)

------
r721
Articles:

[https://motherboard.vice.com/en_us/article/massive-gmail-
goo...](https://motherboard.vice.com/en_us/article/massive-gmail-google-doc-
phishing-email)

[https://www.theverge.com/2017/5/3/15534768/google-docs-
phish...](https://www.theverge.com/2017/5/3/15534768/google-docs-phishing-
attack-share-this-document-with-you-spam)

[https://blog.malwarebytes.com/cybercrime/2017/05/google-
docs...](https://blog.malwarebytes.com/cybercrime/2017/05/google-docs-app-
spam-goes-phishing/)

------
slrz
Hi, I'm Google Docs. Would you please grant me access to your Google account
so that I can read, send, delete and manage your mail, as well as manage your
contacts?

~~~
ghostly_s
Hi Google Docs. I'm not sure I need any help managing my email at the moment,
but maybe we can just be friends?

------
aaronmiler
Our support team is getting spammed a lot from our customers. We're in the
education space, and it's spreading pretty quick.

On initial inspection the URL looks harmless, but it's got some malicious
params in there, mainly

    
    
      redirect_uri=https%3A%2F%2Fgoogledocs.g-docs.win%2Fg.php
    

It appears to request read/send access to your email, and then spam all your
contacts

~~~
tedmiston
I received one with this address as well.

------
gigabo
Reported as a service disruption on the status dashboard:

> We're investigating reports of an issue with Google Drive. We will provide
> more information shortly.

[https://www.google.com/appsstatus#hl=en&v=issue&sid=4&iid=c7...](https://www.google.com/appsstatus#hl=en&v=issue&sid=4&iid=c708d68b1884a629816e361895c125a5)

------
wjke2i9
Things like this are bound to happen when you have centralized systems
controlling everything with full control of the information (no zero-knowledge
storage like email/document/communication encryption). You're essentially
trusting one third party provider with everything in your
life/business/organization.

------
seanp2k2
Yes, it's phishing. More discussion:
[https://www.reddit.com/r/google/comments/692cr4/new_google_d...](https://www.reddit.com/r/google/comments/692cr4/new_google_docs_phishing_scam_almost_undetectable/)

------
mrpound
Same here. Several emails so far from different seemingly random companies and
individuals with clearly malicious Google Docs requests w/ a suspicious param
in the oauth request in the link:

"&redirect_uri=3Dhttps%3A%2F%2Fgoogledocs.docscloud.info%2Fg.php&customparam=3Dcustomparam"

~~~
WizardII
Seeing an alternate redirect redirect_uri=
=3Dhttps%3A%2F%2Fgoogledocs.g-docs.win%2Fg.php

------
M1233mjm
When can we expect a public statement regarding the phishing scam and the
fallout? We all know it used our accounts to forward itself to everyone in our
contact lists, but what about our emails? Have those also been
forwarded/harvested? We need to know this to know how to react.

------
sergiotapia
Just received one as well. Source is Hired.com - according to them:

[https://cl.ly/1i0b0v110s0J](https://cl.ly/1i0b0v110s0J)

\---

Hi Sergio,

It has come to our attention that some of our users may have been hit with a
Google Docs phishing scam. It appears that this scam has been spreading
throughout the internet today, and is not isolated to Hired or our customers
and candidates. If you want more information, you can read about it here or
here.

If you receive a Hired email that says that someone from Hired has shared a
Google Doc with you, please validate with the sender before clicking the link
or doing anything else.

If you think your account may have been compromised, be sure to change your
password immediately.

We apologize for this interruption to your day. Please let us know if you have
any questions.

Thanks, The Hired team

------
yeboi
Here's an interesting case that I encountered (~1:20pm maybe):

1) I clicked on the link on my phone's email app. It looked super believable
since it was coming from a person I was expecting a Google Doc invite from. I
allowed access to "Google Docs" and then the page hit a 502 gateway error.

2) I tried it again on my computer by logging in, and this time, when the page
was loading (after I allowed access), I saw the website was not legitimate
(based on the url) SO I immediately closed the tab.

Here's the interesting part: None of my contacts got a "Google Docs" invite
from me - meaning I didn't "send" any mail. Any idea how I can see if the
person behind this has my emails too via API requests?

~~~
sumitgt
Go to your Google account's security settings and see which apps have access.
Revoke access from any app that is not needed or has the display name "Google
Docs".

------
wmblaettler
To see the list of apps connected to your Google Account:
[https://myaccount.google.com/permissions](https://myaccount.google.com/permissions)

------
packetized
Eagerly awaiting the response from Cloudflare detailing their response, since
all of the domains associated with this so far appear to have been hosted with
them, or at least fronted by their service.

------
choxi
I got one from "DocuSign":
[https://twitter.com/choxi/status/844949531896655872](https://twitter.com/choxi/status/844949531896655872)

The link went to a page that looked like Google Docs and asked for my Google
login, but I noticed the domain was wrong so I didn't sign in. I tried the
link again today and it looks like Chrome does flag it as a phishing site now.

------
GrumpyNl
Google is on it [https://techcrunch.com/2017/05/03/heres-googles-official-
sta...](https://techcrunch.com/2017/05/03/heres-googles-official-statement-on-
todays-fast-spreading-phishing-
attack/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=twitter)

------
AdmiralAsshat
My brother called me about 15 minutes ago to tell me this hit his student
e-mail as well.

I'd be curious at the postmortem how quickly this thing spread.

------
EdwardMSmith
Feels like "I love you" all over again.

~~~
kzisme
Link for the lazy
[https://en.wikipedia.org/wiki/ILOVEYOU](https://en.wikipedia.org/wiki/ILOVEYOU)

------
codedokode
As we saw one should not let users decide who can get access to their email
account. Users are easily fooled. Google should review all applications
wanting such access manually.

Though this is unrelated to the topic I think it would be good if Google
reviewed apps permissions in Google Play too because users are bad at this.

------
discreditable
G Suite admins: you can check for compromise by going to Reports > Token in
the admin panel. A compromise looks like this:
[https://i.imgur.com/Dm0NNTn.png](https://i.imgur.com/Dm0NNTn.png)

------
_pergosausage
The very same thing happened at my university. The sender is
hhhhhhhhhhhhhhhh@mailinator.com

~~~
mailinatorguy
Um. The TO address is hhhhhh@mailinator.com. Not the sender.

------
os400
G Suite customers have been asking for the ability to whitelist OAuth
clients/scopes for their domains for years, for this exact reason. So far,
Google hasn't really given a shit.

I guess that might finally change now.

------
TimButterfield
There is also a Docusign phish email going around. I received a couple of them
yesterday from mail2world, though signed by [company name].onmicrosoft.com for
that user's business email address. They purported to be from people I knew.

------
ethn
I just received one of these as well. They seem to get their targets by
compromising a single user and then by monitoring the people who are viewing
the same Google Docs as the infected victim had in the past.

------
garyfirestorm
This happened to me. An unknown person from my organization shared a Google
doc. I didn't open it, and replied by saying 'what is this about?'. He said he
didn't send any gdocs :|

~~~
hulahoof
It sounds so simple, but the msn messenger era taught me to always follow up
on a shared file for this reason (address book worms were a minor scourge in
my circles at the time).

------
jaimehrubiks
The only tricky thing is not seeing these weird permissions. Google may block
naming an app "Google Docs" but someone could always trick it with "Google
Docs." or whatever

------
Clubber
The bad thing about centralized internet is it makes some mail servers much
juicer targets than the decentralized mail servers of old.

I decided gmail wasn't for me when I read they harvested your emails for ads.
1GB in 2004 sounded so enticing too!

If you are technically savvy and have access to a static IP, I highly
recommend setting up postfix/dovecot and registering a domain. It's fairly
straight forward for technical people. You can have it setup, soup to nuts in
an hour or two. There's online docs everywhere.

It's probably not going to be as secure as a gmail, but it's a much smaller
target. Most internet providers will give you a static for an extra $5 or so.

~~~
rspeer
And then nobody ever receives your mail because the big mail servers don't
trust you.

~~~
Macuyiko
Yeah exactly - last time I went through the trouble of setting up my own
e-mail I decided it just wasn't worth it between PTR records, dmarc, and SPF.
It's possible, sure, but takes away all of the old-fashioned enjoyment of
quickly setting up a Linux box with postfix and on your way you were.

------
spydum
Next up, prepare for the inbox onslaught of every CASB provider hawking their
wares and telling you all about the googpocalypse and how they are uniquely
prepared to solve it!

------
aaronmiler
Just checked the malicious link again.

It looks like Google removed (at least one of) their access tokens

Checked the URL containing:

    
    
      googledocs.g-docs.win%2Fg.php

------
cloudaphant
Any clues what this was trying to do? I suppose we have to wait for Google to
publicise what went on once OAuth had been granted.

~~~
aub3bhat
My guess spreading + password resets + searching for files that can be
downloaded/later used for crypto blackmail?

I think we are going to see some of the worst large scale ransom attempts
shortly. They also timed it perfectly afternoon on hump day when everyone in
USA is just getting ready for / back from lunch.

------
Markoff
so what should i tell my mom to avoid her Gmail being hacked in future same
way? (it wasn't hacked since they had only English language audience this
time)

don't click on unknown links which take you to Google login page and never
approve access to your data in any dialog?

------
killa_kyle
This is burning through our office right now. emailing all clients! diablo!

------
sleepychu
Is there mitigation against deploying exactly this attack another way?

------
d2kx
Yeah @SwiftOnSecurity warned about this, lots of people/orgs affected

------
mathattack
I got a few, then it died. Perhaps Google now recognizes this as spam.

------
caydo00n
Anyone know how far spread this is? it just Hit our school emails

~~~
ocdtrekkie
Looks really wide. It hit our org too. Though in our case, we don't use Google
accounts internally, and hence it isn't a threat to us.

And it looks like Google is responding. The link in the emails no longer
works, as the OAuth credentials have been revoked. I assume Google will be
removing all the applicable app permission grants themselves.

------
cassie942
there was a warning may 4 about a massive google doc phising scam check
on.digg.com/2py2k5g

------
cassie942
warning may 4 of massive google docs phising scam check on.digg.com/2py2k5g

------
pmcpinto
I received it too

------
sudom82
edit: accidentally double posted

double edit: 1\. replied in above comment. 2\. dunno. first time using HN,
accidentally submitted twice when I was on comment posting cooldown I guess.

~~~
tbodt
1\. where did you get this 2\. why did you post the link in 3 separate
comments

------
MediaSquirrel
Same here

------
patmcguire
Yes, it's all over.

~~~
evan_
until copycats start

------
petervandijck
Yes, same here.

------
ownc
My teacher said not to open this email.

------
pinaceae
amazing how large this is, our company just a massive wave of those. all from
"internal" addresses.

------
ben_jones
We have an entire generation that's been trained by big tech companies to
instantly click agree, share, like, etc., buttons. This is only going to get
worse.

