Heads-up, Zippers! Read the tweets in the article and be very cautious opening your Gmail emails.
An unusually sophisticated identity phishing campaign appeared to target Google’s roughly 1 billion Gmail users worldwide, seeking to gain control of their entire email histories and spread itself to all of their contacts, Google confirmed Wednesday.
The worm — which arrives in users’ inboxes posing as an email from a trusted contact — asks you to check out an attached “Google Docs,” or GDocs, file. Clicking on the link takes you to your real Google security profile, where you’re asked to give permission for the fake app posing as GDocs to manage your email account.
To make matters worse, the worm also sends itself out to all of your contacts — Gmail or otherwise — reproducing itself hundreds of times any time a single user falls for it.
Google said on its Gmail technical forum support: “Our team is aware of this issue and is currently investigating. If you haven’t already done so, please report this email as phishing from within Gmail.”
Google’s GDocs team also confirmed that the worm specifically manipulated its Google Docs product.
The strategy is a common one, but the worm that was released Wednesday was causing havoc for millions of users because of its unusually sophisticated construction: Not only does the malicious link look remarkably realistic and trustworthy, but the email that delivers it also appears to come from someone you already know — and the payload manipulates Google’s real login system.
It all adds up to potential calamity for unsuspecting victims: With control of your Gmail account, the scammers can harvest any personal data you’ve ever sent or received in an email. That can allow them to generate password-reset requests on scores of other services, potentially letting the hackers take over, for example, your Amazon, Facebook or online bank accounts.