Google Docs - a full-featured, full-service phishing facility?

Filed Under: Data loss, Featured, Law & order, Phishing, Privacy, Spam

SophosLabs has come across two spam campaigns this weekend which rely on Google Docs as a "full-service" phishing back end.

We wrote about Google Docs phishing back in June last year, when the search giant's cloud service was used to target users of Gmail itself.

These recent phishes, however, target two very different groups of users.

The first campaign is aimed at internet users of ANZ, one of the 'big four' Australian banks; the second is aimed at online users of the web portal of a large school in North America.

ANZ Bank has a strict policy to ensure that all our customer online banking details are secure and updated regularly. This is done for your own protection because some of our clients no longer have access to their online banking service due to fraudulent activities suspected by the bank management.

In order to make sure that your online banking experience is even more safe and secure, we have introduced a new security feature that allow us to detect any unusual activity on your account. So with regards to this development, to update, re-activate and verify your online banking account login details CLICKHERE

...

Thank for your understanding. We hope to serve you more better.

The email above takes you to the Google Docs form shown below:

Using Google Docs for phishing 'surveys' benefits the crooks in several ways.

* The web hosting for the phishing forms and the fraudulently-collected data is provided, free of charge, by Google.

* The Google Docs user interface provides a simply and snazzy front end for designing the form.

* Google Docs can automatically generate emails to prospective victims inviting them to click through to the phishing form.

* The results are automatically and conveniently collected into a password-protected spreadsheet, which can be retrieved from anywhere.

* The URL uses HTTPS, which gives it an aura of security.

* The URL takes you to a google.com domain, which gives it an aura of legitimacy.

Of course, anyone can create a Google account, create surveys and collect results.

So, the security and legitimacy of the https://docs.google.com/ URL is important for legitimate users of Google's services, but it doesn't, by itself, vouch for the honesty and integrity of the account holder.

Nevertheless, despite the safe-looking URLs, phishes of this sort are easy to spot, and just as easy to avoid.

As we've explained many times on Naked Security:

1. Don't click on links in emails which could have come from anywhere. If they could have come from anywhere, they probably did.

2. Even if it looks legitimate, never use any URLs, phone numbers or other 'calls-to-action' provided in a security-related email. Find your own way to the company's website or support line.

3. If you're a native English speaker, take a careful look for grammatical and spelling errors. Scammers often make give-away mistakes.

(Big banks spend a lot on appearance. They won't write to say they hope 'to serve you more better', like the scammers did here. Better implies more, so the latter word is not needed. Of course, correct grammar doesn't tell you that an email is legitimate. But careless errors like this almost always signal that an email is bogus.)

By the way, Google Docs forms include a Report Abuse link at the bottom. This link is generated in Google's cloud, and so cannot be removed by a cybercrook.

So, if you find yourself on a form which you suddenly realise is bogus, you can easily report it so Google can take some action.

Naturally, this raises the question, how do you know the Report Abuse link is legitimate?

Firstly, if you copy the link and paste it into the address bar yourself, it will link back into Google's cloud, something like this:

https://docs.google.com/spreadsheet/reportabuse?formkey=xxxxx...

Secondly, when you report a dodgy link to Google, you won't be asked to do anything except to categorise it. You won't be asked for a username, password, email address, or any other personal information.


-
PS. Yes, the offending phishing URLs are blocked by Sophos products (Web Appliance, Email appliance and Endpoint Protection). And, yes, we've reported them to Google.

, , , , , ,

You might like

13 Responses to Google Docs - a full-featured, full-service phishing facility?

  1. alenxa · 948 days ago

    The pictured form looks a LOT like the cookie-cutter "apply for a job here!!" websites of a few years ago. The layout is a huge red alert klaxon for me in general browsing, and any legit business that deliberately designs any part of their site to look that way loses my trust immediately.

  2. D Haile · 948 days ago

    Where's the report on the high school then? I can only see the bank part here.

    • Paul Ducklin · 948 days ago

      There wasn't room to put in both mails and web pages. Similar idea though: IT department needs you to confirm your account; please CLICKHERE. Leads to a generic-looking green page (the "Report Abuse" image comes from the school phish) which asks for personal info, password and DOB (spelled as "date of birtth" :-) The educational establishment is not identified by name, presumably to allow the scam to be re-used more widely.

  3. SteveH · 948 days ago

    ANZ seems to be a big fat target atm...

    My wife receives emails daily asking to verify her CC details in order to avoid account suspension... lucky she has an idea..

  4. FiDan · 948 days ago

    And at the end the grammatical error "We hope to serve you more better" is truly laughable. If nothing else, that would tip me off. A real bank just would not make such a mistake.

    • Paul Ducklin · 948 days ago

      Indeed - looking out for that sort of error is Tip #3 in the advice above. Good grammar is not "proof positive" but bad grammar is almost always "proof negative".

      Of course, for the majority of English speakers in the world, English is a second (or Nth, N > 2) language and since "more better" is perfectly comprehensible, it's not obvious that it's incorrect usage. It's one of those "rules" of English you can't guess but have to learn, just like the plural of mouse, or how to pronounce the word buoy - something even the Americans (boo-wee) and the British (boy) can't agree on.

      • Mike Chicklin · 639 days ago

        "More better" is not one of those hidden rules of english; it's just wrong. "Better" is already the comparative form of "good." So in short, "more good" would have been slightly understandable, but "more better" is just hilarious. Good work spammers!

  5. Basil Bean · 948 days ago

    "We hope to serve you more better."- really, you'd think that they'd at least make more credible by getting the grammar right . i'm surprised that they haven't thrown in a "done good" somewhere.

  6. Derek · 948 days ago

    I am not quite understanding your 1, 2, 3 process here. Especially 2. Even if it looks legitimate, never use any URLs, phone numbers or other 'calls-to-action' provided in a security-related email. Most security activation is done through emails. Not to mention it is easy to spoof an email so even if an email comes from a site that has the legitiment bank domain it could still be a fraud. Or it could be the real thing. It's more important to find out where the link is redirecting. The other thing to note is that any kind of support will never ever ask for passwords. If they ask for passwords that right there should be a clue.

    • Paul Ducklin · 947 days ago

      More specifically, I meant to say that for any email which is informing you of a security issue and asking you to take action to fix it, avoid links or phone numbers.

      Admittedly, an "activation" email of the sort you describe - which, presumably, you'd be expecting - is a different beast.

  7. Andrew · 948 days ago

    Seen a few of these phising emails floating around. What bugs me is Google's seeming inaction on them. Whenever we see these we use the report abuse links supplied by Google, only to find (in most cases) months later, the same information collecting forms still active.

    • William Dorsey · 948 days ago

      I agree with Andrew 100%. I, too, have seen the same phish URL repeated just a few days later.

  8. DjFIL · 948 days ago

    The ISP I work for had our customers targeted in this manner over the past few weeks trying to phish for peoples webmail login and account info.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog