Scammers, who are probably not wealthy princes, are sending malicious links to hundreds of thousands of users through Google Drive via its collaboration features. In Drive, you are notified via email when a file is shared with you or when you’re mentioned in a comment. Hackers are plugging in email addresses via the share and comment features in bulk in hopes that someone will click on the spam links that these emails contain. These links are potentially (almost definitely) malicious and promise rewards or prizes. The messages being blasted out are mostly written in broken English or Russian and several people have reported that they’re seeing them across Google Docs, Sheets Slides and even Sites.
Gmail has fantastic spam and filtering technology built-in, so instead of sending the traditional phishing email directly to your inbox, people with nothing better to do than to ruin the lives of others have resorted to new tricks. The fact that these emails come to a user’s inbox via Google’s noreply system mean that they look legitimate – well, because they are – at least until you open them and read their contents. As you can see from the tweet above, they contain time sensitive or urgent messages that are meant to scare you into clicking the links they contain. Once you do, (and we hope you don’t!), you’re redirected to a website that obviously wants you to input your personal information.
You could turn these notifications off, but in doing so, you could potentially miss out on important alerts from your co-workers on shared or commented files. A Google spokesperson has stated that they’re actively investigating additional measures they can put in place that will make it more difficult for hackers to exploit this feature. There are currently systems built-in to detect spam attacks and to stop them, but nothing is perfect. It looks like Google may have to get really crafty to prevent these attacks in the future. I always like to think that a magic sprinkle of AI and machine learning will solve every problem, but real people still have to teach machines to learn and do the hard work first!
A similar scam circulated the internet earlier last year via Google Calendar. Phishers took advantage of automated notifications that would ping a user’s email address if they were invited to an event and placed fishy links in the details section. The best thing you can do at this time is to educate yourself on phishing attacks and other social engineering scams and how to avoid them. Check out the video below to get your feet wet! You can also visit Interland and teach your kids how to Be Internet Awesome and prepare them against these types of attempts!