Google Docs Phishing Attempt

Google drive phishing attempts are increasing significantly lately. After coming across a blog post on Symantec, I will be sharing our experience with this new and creative phishing attempt.

One day, we received the following email masked to be from one of our colleagues, claiming that a document has been uploaded and ready to be viewed.

Phishing Email

At first, for anyone bothering to read the complete email, it can be instantly noticed that the email signature declares a different company and name than what is expected.

However, no one can deny that in situations where dealing with similar emails and documents is the main job of an employee and takes out most of his/her day, noticing the sender name is all what is needed for that person to trust an email. Imagine a situation where one of the employees is used to receive dozens of emails with links to Google Docs every hour from that same sender. I believe it would be easy for him to fall for this trick and, at least, open the offending web page.

Clicking on the sign-in link, we are directed to a google docs page with a twist. To view that google doc, you can sign in with Yahoo, Gmail, Hotmail or AOL!

At this point, there is a good chance that the poor employee from the earlier example would recognize that something is wrong, hopefully close the page, or ask around.

Step one

After choosing to sign in with Gmail, a sidebar is shown where it prompts for and email and password.

Step two

we try to login with some random credentials to see where this might lead us.

Step three

Contacting server and verifying login …

Step four

processing doc

Step five

As you can see, it is taking you through a somewhat legitimate process for you not to get spooky about it and well, change your password. Meanwhile, your email and password are already sent to the attacker (I did not realize that I forgot to look where the data is being posted until it was too late, the site admins were able to take down those pages)

And here is the punchline!

Step six

Step seven

Looking around the compromised website, it is some kind of polish sportswear online shop that got compromised and the extra phishing pages were created on the hosting server.

Step eight

All in all, this spear-fishing attempt was not properly conducted. First, the email signature at the bottom is of a different name and company than what is expected. Secondly, for people familiar with google docs (now google drive), after clicking on the link, they will instantly verify that the page is not actually the same. Thirdly, if someone cared to check the url of the page, well, they will just close it immediately. Although there are lots of red flags that can warn non-tech users that the email and website are not legitimate, one or two users falling for this is all what the offender is hoping for. Proper awareness talks are highly recommended. A common pitfall is to assume that all employees are technically competent to detect and deal with similar phishing attempts. As this issue is reported on Symantec blog, it sounds like phishing attempts embracing google docs or drive authentication procedure are picking up the pace.

Given the widespread of Google Docs and Google Drive in general, and where companies and startups rely on them to a good extent, these types of phishing attempts are dangerously exploiting our increasing reliance on the cloud services. Google’s strategy of “One Account. All of Google” would only result in an increasing and more sophisticated attempts to steal login credentials especially of people working in companies relying on Google’s Services for their daily work.