Yesterday afternoon, a new, clever, insidious phishing attack befell Google. Not only did it infect Google, it spread both crazy fast and crazy wide. It was specifically targeted at Google Docs/Gmail users, and it was beyond well disguised: all it took was a couple of clicks (on a legit-looking, Google-hosted URL — how’s that for data?). The target of the attack? It gave the attacker the ability to read all of your Gmail, followed immediately by forwarding the phishing attack to everyone you’ve ever emailed. Ever.
The attack started with an email you receive, and it’s from someone who’s emailed you before. The contents of the email? A Google Docs share link. You clicked the URL to open the document, and you’d see a seemingly innocuous page that’s hosted by Google itself. The page doesn’t ask for a password or a password reset; it already listed all your Google accounts, even. All the page was asking you to do was give a “Google Docs” app permission to read your email and contacts.
What’s so insidious about that you may ask?
That “Google Docs” app wasn’t Google Docs at all — it was just an app somehow masquerading as it.
Many of us in the tech community are appropriately skeptical when we get emails from accounts we don’t recognize, or ask us to reset passwords, etc., except this attack checked a lot of the correct boxes. If you happened to fall for it and clicked the “allow” button, the attacker immediately gained full inbox access, plus, to top everything off, you were now forwarding the bait to every single person on your contact list.
So what can you learn from this unfortunate situation?
How to handle a crisis competently.
Within hours of the phishing attack surfacing, Google was all over it. Some enterprises reported Google automatically redirecting these emails to SPAM folders. The attack was admitted and publicized widely from both Google and through the media. Instead of trying to hide the issue or sweep it under the rug, Google admitted what was happening, reacted, responded and neutralized the threat. By getting on top of the issue early, making sure people know about it so they can take appropriate countermeasures, afforded Google credibility and trust. Being open and honest, paired with lightning fast reaction time, allowed Google and Gmail to weather this storm largely unscathed. They put in stop-gap measures to plug the hole as quickly as possible, followed by a wholesale solution implementation shortly thereafter. Stop the bleeding, close the wound, suture it up nice and tidy.
This is a great example of how to competently handle a crisis; we would all do well to heed said example.