I received an unexpected email from a friend today with a Google doc attachment. It was a friendly note, so friendly that I did consider clicking on it — even with about 20 years experience watching all manner of hacker tricks. Fortunately, I stopped and asked a simple question, which is almost always enough to separate real email from phishing attacks.
“Did you mean to send me a document?”
I’ve done this 100 times, and I’ve nearly always received a, “Oh no, I must have been hacked” response. Today, however, was different. That’s why I’m nervous for you.
“Yes, I sent it myself…,” was the response I got from my friend’s email account. “Log in to view the document.”
Whoa. Knowing my friend as I do, I could tell this was not written in her chatty style. But outside of that language analysis and my already raised eyebrows, I might have clicked. So I persisted.
“How is the new home?” I asked, fishing for any sense that my friend was behind the email. Again, I expected that a hacker wouldn’t bother responding. After all, in a traditional phishing attack like this, it’s likely the bad guy sent out a million of these emails, just hoping to get 100 or so people to click and cough up their login credentials.
Seconds later, I got a response.
“Nice and lovely.”
Two email responses? This was getting interesting…and concerning. I now had a pretty strong feeling that a computer criminal was behind the keyboard, but there was still a small chance it was my friend. So I did two things. You can try these two if you think you might be talking to a criminal.
1) I contacted her on Facebook, borrowing from a technique called “out of band” authentication. I used a different tool to communicate with her to ask if the email was real. Mind you, it’s possible that both my friend’s gmail and Facebook accounts were hacked, and the criminal could have “passed” this test. But it it at least a good start. If I’d had more time, I would have sent her a text message from my cell phone, and waited for a reply, which would genuinely qualify as “out of band” authentication
2) I devised a question that a hacker probably couldn’t answer.
“I’m coming to visit (your new city) soon. Remind me what neighborhood are you in?”
Then, the email fell silent. Again, this isn’t a perfect strategy: a very clever criminal could have hacked into her Facebook account and replied back with her new neighborhood (which, of course, I know). But again, I’ve climbed up the ladder of authentication pretty easily, and also not said anything too offensive.
What does that mean? Many people fall for booby traps because they are simply too polite to say, “That doesn’t sound like you!” Criminals rely on social conventions like these to trick us. Such a statement might actually generate a reply like, “I can’t believe you said that. I’m really offended,” or similar. Many people fall for that. So having polite but informed banter is a good tool for situations like this.
Those details aside, I’m writing this up to share with you something that really concerns me. It is incredibly labor intensive for a hacker to reply to notes like mine. That says one thing to me: Someone is trying awfully hard to trick you into surrendering your login information. So watch out.
So what was going on? I’m pretty sure it was this. Users who click on the attachment are taken to a page that looks like Google docs, but it’s not, and are tricked into logging in to a page controlled by criminals, thereby giving up their Google credentials.
This is bad because a bad guy could send out emails in your name, but really, it’s much worse than that. Millions of people use Gmail as their password recovery tool, so when hacker gains access to it, s/he can often use it to hack other accounts. For example, they go to an online banking site, click on ‘I forgot my password,’ and have a password email reset link sent to your Gmail account. The problem can spiral pretty quickly.
My friend wrote an hour later or so to say she knew nothing about the emails, and a hacker must have broken in. She’s in full recovery mode now. If this has happened to you, here’s Google’s instructions on what to do.
Meanwhile, NEVER click on a link to an attachment you don’t expect, even if it comes from a friend. And even if that “friend” asks you to click on it several times. On the Internet, nobody knows you’re a dog. And you don’t know if you’re talking to a hacker, either.