Last Wednesday morning I received the Google Docs phishing email in question from a client. It just so happens that the client I received the phishing email from uses Google to share documents on a regular basis, so I was hooked. Busy with other things, (I didn't practice what I preach) I clicked on the link even though there were indeed indicators that something was amiss.
Shortly after clicking the link I knew I had made a mistake, but even within seconds of clicking, it was too late. I was now a small part of Internet history...hundreds of personal and business contacts were now receiving the phishing email from me.
In the end, last week's phishing scam appears to have been mostly benign. However, the reality is that it could have been much worse and should stand as a vivid reminder of the importance of security awareness in today's world.
One of the best writeups I've seen about the scam came from Keith Hanson. He posted his breakdown of the scam on LinkedIn, which was based on his own experience with the scam and a review of the code behind it. While many stories talked about the sophistication of the attack, Keith's opinion was that "The code wasn't sophisticated. It was clever, but it was actually pretty sloppy and did NOT take full advantage of the power it held."
The major thing it could have done (but thankfully didn't) is take over user's Gmail accounts. In doing that, it could have easily been coded to comb through all the emails, contacts, and files stored in Google Drive looking to extract passwords and other private information that could be used for nefarious purposes.