Google Docs Users Targeted by Sophisticated Phishing Scam

  • MikeW

    Posts: 6061

    Mar 18, 2014 4:32 PM GMT
    From Symantec: http://www.symantec.com/connect/blogs/google-docs-users-targeted-sophisticated-phishing-scam
    Created: 13 Mar 2014 18:14:34 GMT

    We see millions of phishing messages every day, but recently, one stood out: a sophisticated scam targeting Google Docs and Google Drive users.

    The scam uses a simple subject of "Documents" and urges the recipient to view an important document on Google Docs by clicking on the included link.

    Of course, the link doesn't go to Google Docs, but it does go to Google, where a very convincing fake Google Docs login page is shown:

    phish_site_image.png

    Figure. Google Docs phishing login page

    The fake page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in their messages.

    This login page will look familiar to many Google users, as it's used across Google's services. (The text below "One account. All of Google." mentions what service is being accessed, but this is a subtlety that many will not notice.)

    It's quite common to be prompted with a login page like this when accessing a Google Docs link, and many people may enter their credentials without a second thought.

    After pressing "Sign in", the user’s credentials are sent to a PHP script on a compromised web server.

    This page then redirects to a real Google Docs document, making the whole attack very convincing. Google accounts are a valuable target for phishers, as they can be used to access many services including Gmail and Google Play, which can be used to purchase Android applications and content.

    Symantec customers are protected against this threat.
  • Posted by a hidden member.
    Log in to view his profile

    Mar 18, 2014 5:02 PM GMT
    Yep, I've seen it and almost got bit by it. In the CRE business we use Google docs frequently to distribute more detailed information on a specific property. Only thing that saved me is that there was nothing that I was waiting to receive right at that moment or I would have fallen for it.
  • Posted by a hidden member.
    Log in to view his profile

    Mar 18, 2014 8:57 PM GMT
    Very clever. Google has web servers that are free for something like half a million hits per day so they could be using that for the initial url that shows a google address.

    People shouldn't reuse their password for their email account elsewhere. If my google password gets compromised it's not that big of a problem for me.
  • Posted by a hidden member.
    Log in to view his profile

    Mar 18, 2014 9:46 PM GMT
    Lumpyoatmeal saidIf my google password gets compromised it's not that big of a problem for me.

    Although I used to have a file of my passwords on google docs. I went and checked and apparently removed it awhile ago.

    And there is this, although I wish I could pick my own number:

    http://www.google.com/landing/2step/