Phishing page hosted on Google: A true dog-bites-man scam

This is not the Google Docs login page you're looking for.
Symantec

With literally millions of phishing scams crossing the wires each day, media reports about individual ones are the quintessential dog-bites-man stories that are rarely worth the time of writer or reader alike. Every now and then, though, one comes along that's clever enough to make it rise to the top of the massive steaming pile of messages. To wit: one recently caught by researchers from Symantec.

The phishing attempt shows up as an e-mail with the subject "Documents" and advises the recipient to view important files stored on Google Docs. It includes a link in the body. So far pretty banal stuff. But it gets better. As Symantec researcher Nick Johnson writes:

The fake page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly accessible URL to include in their messages.

This login page will look familiar to many Google users, as it's used across Google's services. (The text below "One account. All of Google." mentions what service is being accessed, but this is a subtlety that many will not notice.)

It's quite common to be prompted with a login page like this when accessing a Google Docs link, and many people may enter their credentials without a second thought.

After pressing "Sign in," the user’s credentials are sent to a PHP script on a compromised web server.

This page then redirects to a real Google Docs document, making the whole attack very convincing. Google accounts are a valuable target for phishers, as they can be used to access many services including Gmail and Google Play, which can be used to purchase Android applications and content.

With all the attention on zero-day exploits that surreptitiously install malware with little or no user interaction, it's easy to forget that one of the biggest threats we face is our own gullibility. Most people reading Ars are experienced enough to spot phishing attempts, but the campaign Symantec reported is one I could see my friends or relatives falling for, especially if they were tired, rushed, or otherwise not paying close attention.

Read 1 remaining paragraphs | Comments

Google Docs Users Targeted by Sophisticated Phishing Scam

We see millions of phishing messages every day, but recently, one stood out: a sophisticated scam targeting Google Docs and Google Drive users.

The scam uses a simple subject of "Documents" and urges the recipient to view an important document on Google Docs by clicking on the included link.

Of course, the link doesn't go to Google Docs, but it does go to Google, where a very convincing fake Google Docs login page is shown:

phish_site_image.png

Figure. Google Docs phishing login page

The fake page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in their messages.

This login page will look familiar to many Google users, as it's used across Google's services. (The text below "One account. All of Google." mentions what service is being accessed, but this is a subtlety that many will not notice.)

It's quite common to be prompted with a login page like this when accessing a Google Docs link, and many people may enter their credentials without a second thought.

After pressing "Sign in", the user’s credentials are sent to a PHP script on a compromised web server.

This page then redirects to a real Google Docs document, making the whole attack very convincing. Google accounts are a valuable target for phishers, as they can be used to access many services including Gmail and Google Play, which can be used to purchase Android applications and content.

Symantec customers are protected against this threat.

Phishers exploit Google Docs with Gmail de-activation alert

The Gmail database is not congested, and Google is not asking users to confirm that their accounts are still active.

But, it seems that scammers are hoping that you might believe that’s true, according to one of the latest phishing attacks that has been spammed across the net.

Here’s what a typical email looks like:

Google Docs phishing message

Subject: De-Activation Alert!

Message body:
Dear Gmail Account User,

Due to the congestion in our Gmail database, We will be shutting down all unused accounts before on the 30th of June. You will have to re-confirm your account as soon as possible to enable us upgrade your account before the deadline date.
To confirm your account kindly fill the account verification form.

After Following the instructions in the sheet, your account will not be interrupted and will continue as normal. Thanks for your attention to this request.
[LINK]

We apologize for any inconvenience.
Thanks & Regards,
Engineer.J.Williams
Upgrade Team Controller

As the link does point to a webpage hosted somewhere on Google.com, some computer users may believe that the form they are being directed to must be genuine. However, it is actually pointing to a spreadsheet on Google Docs – pages which can be created by any Tom, Dick or Harry.

And, in this case, a “Google account verification form” is attempting to trick you into handing over personal information – such as your name, full date of birth and password.

Google Docs phishing site

The eagle-eyed might spot the spelling mistake in the form (“confrim” rather than “confirm”) but you can hardly rely on the phishers making errors like that as a way of protecting yourself.

Google DocsWhy are the scammers using Google Docs to host their phishing pages?

Well, they hope that potential victims will believe it’s a genuine Google resource as it is hosted at an authentic Google URL, and that rudimentary security software won’t feel comfortable blocking the entire google.com domain. (Of course, good security software is smarter than this).

Users shouldn’t forget that a site like Gmail knows if you have been using it recently or not – because every time you log in or send an email a record is kept somewhere inside the Googleplex.

Not that Google is likely to run out of any storage space or plan to shut down any dormant email accounts any time soon by my reckoning..

Hat-tip: Thanks to Naked Security reader Guido for sending us a tip about this scam.