Pierluigi Paganini March 15, 2014

Security Researchers at Symantec detected a new Sophisticated Phishing Scam that is targeting the Google Docs Users with complex social engineering tricks.

Phishing is still considerable as one of the major cyber threats, its impact on the IT industry is devastating considering that attackers are adopting new techniques even more sophisticated.  Principal security firms and CERTs are alerting governments and private enterprises on the alarming growth of phishing, the cybercrime is exploiting new platforms like mobile and social media to conduct phishing and spear phishing attacks.

Today I decided to describe an interesting case proposed by Symantec related a  sophisticated phishing scam against Google Docs Users. The attackers used phishing email with the subject “Documents”, the content is requesting the recipient to view an important document published on Google Docs by clicking on the included link. The link redirect users to a fake, end very convincing, Google Docs login page as shown in the following picture:

The attacker hosted the fake page on Google’s servers and adopted SSL protocol for the connections, making the page even more convincing.

“The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive’s preview feature to get a publicly-accessible URL to include in their messages. This login page will look familiar to many Google users, as it’s used across Google’s services. (The text below “One account. All of Google.” mentions what service is being accessed, but this is a subtlety that many will not notice.) It’s quite common to be prompted with a login page like this when accessing a Google Docs link, and many people may enter their credentials without a second thought.” states the blog post published by Symantec.

Once the victim clicked on “Sign in”, the user’s credentials are sent to a PHP script on a  web server controlled by the attackers and the page redirects the user to a real Google Docs document.

Symantec researchers remarked that Google accounts are considerable a valuable target cybercriminals, they can give to the attackers a full access to all the services provided by the company, including Gmail and Google Play.

The attackers can use a Google account for further attacks or, as hypothesized by Symantec researchers, to purchase Android applications and content.

Pierluigi Paganini

(Security Affairs – Symantec, phishing)