Phishing with help from Google Docs

Filed Under: Featured, Phishing, Spam

Google DocsIt's child's play to create a Google account, and use the Google Docs facility to host an online form. Maybe you'd want to use it to poll customers' opinions, for instance.

But if you're a scammer - you can equally use Google Docs to phish for passwords and sensitive information.

Here are a few email campaigns I saw spammed out today, attempting to trick users into handing over their confidential data.

In the first example, the email asks the recipient to confirm their email account details or risk having it shut down.

Phishing messsage

The message reads:

Confirm your e-mail account please enter your Mailbox Details by clicking the link below:
[LINK]
Failure to provide details correctly will result to immediate closure of your mailbox account from our database.

As you can see, the link points to a page on Google Docs (docs.google.com). That gives the link a false aura of legitimacy. But what the link can't do is tell you whether the Google account holder is legitimate or up to no good.

In this case, as you'll see if you click on the link, it's clearly an attempt to phish information from internet users.

As the screenshot below shows, the page falsely claims that your email account will be shut down in three days and the only way it claims you can resolve the situation is by entering your username and password.

Phishing page on Google Docs

Before you know it, your email account will be compromised. And if that username/password combination is being used elsewhere on the web or if - as is the case with Google - your details unlock a variety of services, then the security breach is compounded.

Here is another example of phishing via Google Docs that I encountered today. Again, it arrives in the form of a spam email.

Phishing message

The email reads as follows:

Subject: MAIL QUOTA 89.99%(VALIDATE)

Helpdesk requires you to validate your webmail.
Due to our upgrade, Protecting your webmail account is our primary concern, revalidate your e-mail by clicking [LINK] help desk.

If you do make the mistake of clicking on the link then you are taken once again to a page hosted on Google Docs (don't be fooled by the different colour scheme).

Phishing page on Google Docs

Don't forget, at the bottom of each Google Docs form there is a link where you can report abuse, such as phishing or offensive content.

Report abuse on Google Docs

Clicking the link should take you to a screen like this, where you can anonymously explain what your issue is with the page.

Google Docs abuse form

Sophos has reported the phishing webpages to the abuse team at Google Docs.

, , ,

You might like

9 Responses to Phishing with help from Google Docs

  1. I would never fall for that. I can see how some people would though.

  2. lewis · 837 days ago

    This was bound to happen when offering a service like this, they shoould put a BIG red disclaimer at the top stating that they will never contact people for there password/e.t.c using this kind of form.

    If people dont like the disclaimer on there form then go some where else simple !

    Cheers for sharing Sophos

    Good read yet again !

  3. David · 837 days ago

    Reporting abuse doesn't seem to help though - we reported some sites weeks ago that are still phishing.

  4. Ted J · 837 days ago

    Great article Sophos! Unfortunately, there will always be malicious users of Forms but I think the benefits and functionality far outweigh this. The best way to counteract this is through education. Fortunately, these types of emails do get caught by the spam filter often.

    David, just to note that reporting abuse will not automatically remove a form. Your best case is to have unique visitors to the form to report the abuse. Also, as always, you can post on the Google Docs Help Forum (http://productforums.google.com/forum/#!categories/docs/report-an-issue) where myself, fellow Docs TCs, or Googlers will be able to help with expediting a particularly phishy form.

    Cheers!

  5. Jon Fukumoto · 836 days ago

    Very sophisticated form of social engineering. The cyber criminals are getting smarter every day. That's one reason I'm not using my gmail account anymore.

  6. engliishadam · 836 days ago

    Great sharing! Thanks a lot for giving out crucial info. Hackers always try various type of scam thing to get users personal info and we need to be aware from such attacks. Thanks :)

  7. terryl_1133 · 836 days ago

    Thank you for all info here everyone. It does help those who bother to read such things.

  8. Frustrated · 726 days ago

    Just got one of those spam mails referring to Google Doc, having managed trough all our watchdogs. Basically, as I see it you MUST go to the page (click ON the fraudulous link) to report any abuse, that is you have to try to get infected (if its more than a questionnaire).

    This reminds me about the company abusing my credit card last (and first) time it arrived, when I phoned them up to complain the answer was "pls give me your credit card number so we can correct whatever is wrong", OK to give my name but NOT ALSO the number !

    So, as I get it Google has so many complains that they hide away how to report abuses. And you can always try to find your way with their "help": you run around in loops, so I assume 90% of people end up NOT reporting anything and Google gets the feeling they are doing well ;)

  9. Phill · 588 days ago

    Have to agree with frustrated, Google makes it almost impossible to report anything, you need to click on the link to report it and THEN the report link uses the bad link as it's base, so for all you know you are reporting to the phisher using the same form ?

    Example, phish link active as I write this
    https://docs.google.com/forms/d/1Wek1gk51Zn60XdHw...

    report abuse link
    https://docs.google.com/forms/d/1Wek1gk51Zn60XdHw...

    that does not exactly inspire confidence.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.