If you have been on Facebook and Twitter in the last couple of days, you have probably seen the warnings about opening a Google Docs email. The warnings are true and here is how it works.
First, here’s how to look out for it: If you receive any Google Doc links that have a generic “Documents” or some other label, that should be your first red flag. Don’t open anything if you may not know what it is or who it’s coming from. However, there have been some cases where you will know who the file is coming from — but this can still be the attack, because it seems the Google Doc is being sent to people from email addresses they know. The trick is to check who is CCed on the email. During the most recent attack on May 3, some people have received Google Doc links with “hhhhhhhhhhhhhhhh@mailinator.com” cced. If you see this, or any other strange email addresses, don't open the Google Drive link and delete it immediately.
Now, if you did end up opening the file, here’s what you do next: Change your password immediately. By opening that file, you sent data to the person who hacked that Google Doc, giving them full access to your account. It may also be safe to go through this Gmail Account Recovery security checklist. You can also report the attack to Google. Once you have gone through these tasks, your account will be secure.
So how exactly does this work? According to Gizmodo, by clicking the link to the document your credentials will be sent to a PHP script on a compromised server. They do this by creating a folder in a Google account, marking it as public, and sending it out. So while there is a document created, the actual link to the document is what will steal your information.