A team of security researchers at Avanan is reporting that hackers are taking advantage of a Google Docs security vulnerability—one that takes advantage of a comment feature. They are claiming that they saw hackers using the vulnerability to target 500 inboxes of 30 Outlook users involving over 100 individual email accounts.
The team at Avanan claims that they found an earlier exploit in Google Docs last June—one that allowed hackers to send phishing links to users. Then, this past October, they discovered that hackers had found another way to send phishing links to unsuspecting users, using the comment feature. They further claim that the vulnerability was not fixed by Google and because of that they began seeing hackers taking advantage of the vulnerability last month.
The hacking approach is both simple and straightforward—a hacker creates a Google Docs document and adds comments to it that include an @ symbol followed by an email address. The symbol automatically alerts the system to send an email to the person designated in the email address—the email that is sent has phishing links in it, sending the user to a webpage that could lead to malicious code.