On May 3rd, email messages began to arrive at people's inboxes that appeared to invite people to view a Google document. Upon clicking on the blue icon for the invitation, the person would receive a message asking for permission to access the person's address book and email.
If the person gave permission to access their address book and email, the malicious script would read the person's address book and send the phishing message to everyone in the address book. This is why the messages would have appeared to have come from someone you know.
If the person didn't give the hacker's script permission to access their address book, nothing would happen.
In some instances, a Google form would pop up asking for the person's name and log in credentials.
Within a few hours of the attack being released, Google was working to block the hack and remove the hacker's access. At this point, yesterday's hack has been mostly cleaned up.
Key points
- The malware did not compromise anyone's username or password, unless a person entered their credentials into the Google form that popped up on the screen.
- If anyone did enter their username and password into the hacker's Google form, please reset your password right away. If you need assistance with resetting your password, please contact the DoIT Technology Support Center.
- Google has cleaned up the permissions and blocked the blue icon from working. The phishing messages now also show a warning that says, Be careful with this message. Similar messages were used to steal people's personal information. Unless you trust the sender, don't click links or reply with personal information.
- Please delete any copies of the phishing message that you may have in your inbox.
Additional details about the malicious messages are available at:
Since this hacker was successful with this type of attack, we should all expect to see more of these types of messages. The next attempts could appear to be related to Google again, or the hackers could switch to trying to hack Box.com or any other cloud services.
As always, if you aren't expecting to receive a document from someone or something feels out of the ordinary, call the sender of the message and ask if they really sent it. If they didn't send it to you, don't open it.
Also, anytime something asks for permission to access your address book, docs, email, or any other information; think twice before giving permission. That one click could cause a big mess.
Finally, if you have any questions or would like someone to validate something that doesn't seem right, please DoIT Security at security@umbc.edu. We are happy to help determine if something is legitimate or a threat.
Thank you,
Mark Cather
Chief Information Security Officer
Division of Information Technology / UMBC