Juha Saarinen: 'Google Docs' worm attack was seriously bad

Yesterday, someone launched a malware attack on Gmail, using a very convincing phishing message that tricked users into giving it permissions to access their accounts.

The worm used a similar tricky tactic to nation-state espionage malware, and was very cleverly done, using Google's own authentication mechanism to appear legit. At a glance, everything from the message text to the graphics in the message looked right.

Who can blame users for clicking through on what really appeared to be a message from Google Docs, and permitting the app to access their contacts and emails?

Once they let the worm in, it rampaged through their accounts and sent itself out to everyone in their contacts. Google pulled out all stops to kill the worm, and revoked its permissions from users and removed the domains it used urgently.

To understand why Google would hit the panic stations on the worm attack, consider that a year ago, Gmail hit one billion active users, a number that's even higher now.

According to a Google statement, the worm managed to spread to just 0.1 per cent of Gmail accounts before it was stopped.

That's still over a million users; what Google didn't say was how many contacts were accessed by the worm, and email messages.

Most people who have used Gmail for a while will have amassed a large amount contacts, and big email stores - after all, Google promotes the service by telling users they don't have to delete anything on Gmail, and contacts are automatically added to user accounts if they reply to messages.

What everyone's hoping now is that the worm only copied the contacts locally, or temporarily, and didn't send them to a third party. Ditto the email messages.

If the worm exfiltrated the data, it could have severe consequences. The malware targeted journalists initially, and the worm could expose their sources and other confidential information. Think data dumps, and maybe even sources being found and prosecuted - or killed.

Gmail is giant treasure trove that digital criminals will continue to try to break into.

If a million users' contacts were captured, the addresses could be used for future phishing attacks. Users would recognise the name and address in the phishing messages, and trust those for that reason.

Then there's the massive systems design mistake of yore of using email addresses as user identities to log into often sensitive services. Gmail addresses will be very popular for that purpose, so fingers crossed the worm didn't steal a bunch of legit ones from users.

Masses of users that store hugely valuable data: Gmail is giant treasure trove that digital criminals will continue to try to break into.

Yesterday's attack wasn't the first convincing phish attack either.

There will be more, and we must hope that Google's security engineers sleep with one eye open and catch the attacks before they reach the wider Gmail user base.

You don't want to think about what would happen if a billion Gmail users' data was captured.

Five steps to keep your email safe

1. Lock down your account. If your provider offers two-factor authentication (2FA), enable it.

2. If your provider doesn't offer 2FA, go to someone else. Set a strong password too.

3. Be very careful opening attachments, even if they're being sent by friends and acquaintances.

4. Same with links in emails - hover your mouse pointer over them first, to see where they lead, before clicking on any links.

5. Be economical with giving out email addresses. Use throwaway accounts if you need to register with sites that you won't be using regularly, and don't use the one that provides access to services and your personal communications.

On Gmail, check the g.co/SecurityCheckup page regularly, and delete apps you don't use or don't recognise.