A very tricky phishing scam that takes advantage of Google Docs is making its way around the web. And since it uses a google.com URL and even makes use of Google’s SSL encryption, it’s almost impossible to tell that it’s a hack. Your best safeguard, as always, is a little bit of common sense. Note: This post is from 2014 but has been surfaced by Google in light of another scam. If you are looking for information about the May 2017 scam, please click here.
This phishing scam starts like many other phishing scams: with an email. The malicious message reportedly arrives with the subject line “Documents” and points to a Google Docs link. Again, it shows up in the address bar as a google.com domain and takes you to a fake log-in page that looks just like the real Google login page. This is how the hackers get you.
“The fake page is actually hosted on Google’s servers and is served over SSL, making the page even more convincing,” Symantec security expert Nick Johnston explained in a blog post. “The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive’s preview feature to get a publicly accessible URL to include in their messages.”
Once you log in through the fake page, you’ll even be taken to an actual Google Doc. Your credentials will be sent to PHP script on a compromised server. You may never even know they’ve been swiped. Unless, of course, you don’t fall for the scam in the first place.
To do this just watch out for two things. One, be careful clicking links in emails. If you receive an email from someone you don’t know with a subject line like “Documents,” it’s probably up to no good. Second, if you show up at the log-in screen, you should notice that it doesn’t recognize you as a Google user (if you are a Google user). That’s the fake log in page pictured above to the left and a real Google log in page to the right. So if it seems strange that you have to log in again, beware.
Actually, just beware in general. These phishing scams are getting scary sophisticated. We’ve reached out to Google to see what they’re doing to safeguard users from this one. [Symantec via The Hacker News]
Update: Google got back to us and said the problem is fixed. A statement from their press team reads:
We’ve removed the fake pages and our abuse team is working to prevent this kind of spoofing from happening again. If you think you may have accidentally given out your account information, please reset your password.