Google Apps for Education and Business users are the targets of a phishing scheme that has been circulating the internet for several years, but has seen a sudden uptick in recent weeks in our geographic area.
Users receive an email that looks like this:
Hovering over the link in my mail client shows me that this will not lead to Google Docs, but if you choose to click the link, it often leads to a website with a Google Drive or associated logo. The website persuades you to enter your Google credentials, which allows them to be captured by the attackers.
In some instances, your account is used to send the same email out to your entire contact list. In other instances, your YouTube account is hijacked, your contacts are deleted, or months later your account is used to send out other spam.
Steps for IT Administrators:
- Check the URL of the link included in the email. Block it on your content filter if possible, so other network users aren’t allowed to click through and fall prey to the scheme as well.
- Help the user reset their password, check for mail filters, and sign out of accounts open in other locations.
- Consider running a virus/malware scan on the user’s machine.
Steps for IT Users:
- Change your password in your Google account.
- While in your gmail inbox, scroll down to the bottom of the page to see:
- Last account activity: # minutes ago
- Click the “Details” button to see all instances of your account activity. Click the button that says “Sign out all other web sessions” to force all open sessions to close and thus require your new password.
- Consider running a virus/malware scan on your machine
- Check for mail filters (see below)
- In gmail, click on the gear icon. Select “settings”
- Click the filters tab. Usually filters are created to hide emails from your inbox, to keep you unaware that your account was hacked. The screenshot below shows two filters created by the hackers to send items with specific subjects straight to trash. Filters can also be created to send emails with specific subjects to another email address entirely.