Sophisticated Google Drive Phishing Scam is becoming popular

Pierluigi Paganini May 23, 2014

Security experts at Symantec have discovered a new phishing scheme based on Google Drive that is being used by hackers to steal Google Account credentials

Phishing scammers are exploring new technique to conduct illicit activities, in the recent weeks we have already discussed on the efficiency to use Google Docs and Google Drive  for phishing campaigns.

Google Drive popularity is significantly increased due an aggressive pricing policy, and the availability of premium Google Drive accounts pre-installed on many mobile devices.

Google Drive is considerable a privileged target, stealing Google credentials cyber criminals could access to the overall services provided by Google.

This form of phishing is surely more efficient of classic methods based on email messagesconsider, in fact, that Google Drive phishing page is actually served over a secure SSL connection from the legitimate Google Drive service itself, this circumstance makes hard its detection to defense mechanisms.

Many users base their principal defense against phishing on the visual inspection of the URL, it’s a good habit but not enough to prevent them against this type of scam.

Symantec has recently published a blog post to alert users on a new sophisticated Google Drive phishing scam, also in this case scammers used a phishing message with a simple subject of “Documents” and containing a URL pointing to a phishing page hosted on the Google Drive file storage and synchronization service.
Google Drive scam page

The particularity of this scheme is that phishers have faced with problems adding at the bottom corner of the page a language selection box. Users must be alerted by the fact that the items in the list have been inadvertently corrupted, as some language names are presented with a question mark on each side.

“This corruption is probably because Google lists languages in their native scripts: for example, Korean is listed in a language dropdown using the native Korean alphabet of Hangul: 한국어. When phishers saved a copy of the Google login page, they likely inadvertently changed the character encoding from UTF-8 to ISO-8859-1 (Latin-1), causing this corruption in the display.” states Symantec.

Google Drive scam page Lan

Unfortunately, victims ignore the problem to the Language selection box, they tend to underrate it and then proceed to login to the phishing site using their credentials to attackers.

Symantec experts noticed that stolen credentials are sent to a PHP script on a compromised server which redirects the victim to a document hosted on Google Drive.

  • [http://]backpackingworldwide.com/[REMOVED]/performact.php

The script name “performact.php” is the same used in previous Google Docs and Google Drive phishing scam, this circumstance suggests that the attackers behind the phishing campaign are the same or probably linked to the author of the principal attacks observed in the past months.

As explained by experts at Symantec this tactic could be used also for other illicit activities like malware distribution.

“Static HTML pages on Google Drive are also being used to redirect to malware. In these cases, a very small HTML file (under 100 bytes) uses JavaScript to redirect victims to a shortened URL (using SSL, perhaps to give a false sense of security). The shortened URL finally redirects to a compromised Brazilian website hosting a Trojan.”

Once again, let me suggest you to enable Google’s two-factor authentication to reduce your exposure to this type of scams.

Pierluigi Paganini

(Security Affairs –  Google Drive, phishing)  



you might also like

leave a comment