Home / Editor's Notebook / Gone phishing

Gone phishing

It looked innocent, like it always does.

The subject line to the message said, “[So and so] has shared a document with you.”

The body text was routine: “[So and so] has invited you to view the following document.”

And there it was, the button that was all that was holding back the hounds of hell: “Open in Docs.”

If you clicked it, you were in a world of hurt, and so were all your friends and contacts.

Last week, somebody (Google is still trying to figure out who) launched a massive and sophisticated “phishing” scam across the country. The scam went to the heart of American businesses that have adopted Google as their method for handling documents.

Google Docs lets you share and edit a document over the internet in real time. This system is especially handy when you are part of a group working in different offices or locations. For example, our executive VP, who lives in Connecticut, sends out Google Docs requests regularly to gather info from business units across the country. I have reporters who live all over North Carolina and in South Carolina who file their stories weekly in Google Docs; I edit them then file the finals for the websites, using the same system.

The bad guys know that.

Just last week in Virginia Lawyers Weekly, we shared, in a front-page news feature, the aggravating and depressing news that the bad guys will get into your computer system. They understand how you work, and they will keep tweaking their nefarious schemes to get your information. Experts who know this stuff warn that it’s just a matter of time and that you should have a response ready.

Google said that it shut down the hack in about an hour.

One wag, a White House correspondent, tweeted that “the new Washington status marker is whether or not you got the phishing google doc.”

Maybe it should be not whether you got it, but how many requests. I got five.

Computer hackers have come a long way in 30 years. Anyone remember the “Stoned” virus? It was one of the very first computer viruses back in 1987. Thought to have been created by a student in New Zealand, Stoned infiltrated a computer’s boot system, then flashed a cheery on-screen message: “Your computer is now stoned. Legalise marijuana.”

Stoned may have given your machine the munchies, but it didn’t try to steal your information. However, it and other viruses gave birth to two industries – bad guys who realized that viruses could wreak havoc and good guys who would try to stop them. Before long, antivirus software became available. Norton, McAfee, Kaspersky and others all advertise, thankfully, that they constantly update their protection to fight new insidious viruses.

And insidious is the right word. Some are downright evil, erasing your hard drive or data out of sheer crackpot meanness. Others just want your money – they try to get to your identity, your credit card accounts or your bank info. And they just about all try to spread by appropriating your contact list and sending your friends the same message, hoping they click because they think it’s from you.

You can tell who clicked on the “Open in Docs” button, because they in turn sent the message on to others.

But don’t be smug and laugh it them for being gullible. Who hasn’t stumbled into something like this at one time or another?

I’ll own up: I have run into trouble – twice – because I trusted public wifi. About seven years ago, I was at a meeting at a college campus and tapped the school wifi. I was rewarded with ransomware that locked my computer, and all my files and work, until I could get home and let our IT guy delete it. Just a week later, my daughter, then away at grad school, called all frantic because she got locked out by the very same ransomware attack. At least I knew how to calm her down; that Best Buy “Geek Squad” protection plan I had purchased was a great investment.

Then last summer, I used a hotel wifi system that somehow let a bad guy into my email. The hackers got hold of an old AOL account I had had since the early 1990s. OK, it was easy to keep around, kind of like a pet dinosaur, and a number of family members still used that address for me. I learned just how many accounts had the AOL address as the contact when I had to change them all.

The bad guys will get in, remember. The Google Docs phishing expedition was carefully planned and executed by somebody smart.

Don’t help them. Don’t be dumb and use “password” as your password. Don’t get so busy that you absent-mindedly click on the hounds-of-hell button without thinking.

Because if you don’t pay attention, you might as well open your wallet and say, “Here’s all my money. Please take it.”