Secure Google Docs email results in mailbox compromise

Filed Under: Featured, Google, Phishing, Spam

GDocs170A large scale phishing attack has been making the rounds this week pretending to be a "Secure Document" being sent to you via Google Docs.

While those of us in the security industry might not be surprised, phishing attacks are consistently proving themselves to one of the most effective ways to evade traditional defenses.

As many organizations move to the Google cloud, this type of phishing lure will continue to yield results for the criminals.

GDocsPhish

The email reads:

Hello,
A Secure Document was sent to you by your financial institute using Google Docs.
Follow the link below to visit Google Docs webpage to view your Document
Follow Here. The Document is said to be important.
Regards.
Happy Emailing,
The Gmail Team

Phishing emails aren't exactly rare, but this one caught my eye. In addition to being a somewhat plausible lure, it is an equal opportunity exploit.

If you click the link you are presented with a phishing page hosted in Thailand.

The page not only asks for your Google credentials, it also suggests it will accept Yahoo!, Outlook.com, Hotmail, AOL, Comcast, Verizon, 163.com or any other email account.

GDocsphish500

Of course, filling out this form can only end in tears. Your details are sent off to the compromised servers for whatever purposes these thieves desire.

PhishTrap500

You might think, "So what? My Gmail isn't full of secrets that will destroy my nation/life/career."

You would likely be wrong, because your email is the key to unlocking much of your online identity.

Forget your banking password? No worries, they will email you a password reset link.

Does your company utilize cloud services? Your email account is likely key to accessing these systems.

Phishing is an amazingly successful technique.

Just ask the Syrian Electronic Army, who with little technical talent have been able to compromise some of the most powerful media organizations in the world.

As an IT administrator, these are opportunities to educate your staff on the risks.

This might not be the most convincing of the phishes that are out there, but it is a useful tool to educate your staff.

Many organizations are using Google and other cloud service providers to provide critical IT services. At first glance this could be very believable.

What do I do to avoid being a victim? I create shortcuts in my browser for all sensitive services.

If I need to access my email, bank or other online service, I don't click the link; I click the favourite.

,

You might like

18 Responses to Secure Google Docs email results in mailbox compromise

  1. Carol Zupkas · 369 days ago

    Thank you for the info. You say, "I click the favourite." What do you mean? Is this also a threat for individuals?

    ~ Carol Zupkas ~

    • Chester Wisniewski · 369 days ago

      I create favourites for all my important services. I never click a link to my bank, retirement account or email, I just click the favourite which is sure to deliver me to the correct website (assuming their DNS has not been compromised).

    • Cameron · 369 days ago

      Hi Carol - I don't mean to put words in his mouth, but i'm pretty sure Chester means that he has saved his most visited pages as favorites or bookmarks in his browser so rather than clicking on the phishing links in an email, he clicks on the favorite link that he's previously saved - that way he knows he's going to the page he wants to go to

  2. Richard · 369 days ago

    The thieves being able to read your email isn't the only problem; they would also be able to send email from your account. All they have to do is send a few "plans to blow up the embassy" emails to random people, and you'll end up in Guantanamo Bay.

    • They can (and do) also send more targeted phishes to people in your contact list, pretending to be you. Since they're doing this from within the web of trust, the phishes are much more likely to garner victims who wouldn't fall for the original phishing attack. This also has the benefit (for them) that often there is no phish/spam filtering between email addresses on the same internal network -- so if they can use this technique to gain access to your internal email accounts, they have unfettered access to the trust network inside the firewall.

  3. JJones · 369 days ago

    A Gmail ID is the gateway to all Google services, not just email: Docs, Play Store purchases for Android devices (potentially giving info about said devices), contacts, history on YouTube, Google+, and of course Google Wallet. If you put your home & work addresses in Maps (as My Places entries) then that info is revealed as well.

    Anyone that wants to profile someone can learn a huge amount with nothing more than Gmail credentials.

  4. Protect your accounts people! Most services offer 2-step verification. Here is information about Google's 2-step protection systems: http://www.google.com/landing/2step/

    If I were to fall victim to a phishing attack, my email accounts are still secure because the attacker would need more than the password to gain access.

  5. Nigel · 369 days ago

    The general rules I follow are:

    1. Never click on a link in a mass-emailed message.
    2. Never click on a link without first inspecting the URL syntax.
    3. Never click on a link in a message that uses moronic semantics...like the one in the article, which says "financial institute". Dead giveaway.
    4. Never, ever click on a link that purports to connect me to a login page for any account, anywhere, for any purpose.

    About the only links I ever click are those that come from private or professional correspondents who are referring me to links they personally have vetted. Most of them use encrypted mail, and I'm certain that the messages are genuine.

  6. Steve · 369 days ago

    If you use GMail, you should be using 2FA which is free via the Google Authenticator. Even with a phishing attack, your one time code will always be different.

  7. Janantha · 369 days ago

    I think the proper risk mitigation is to enforce two factor authentication. There is a google app on the phone which is like a OTP (One Time Pad). Works very well.

  8. guest · 367 days ago

    Also, I do not use "bookmarks". They are controlled by the browser program, which a hacker could be able to access. I write my own set of frequent (or rare) links and save them as a "webpage" on my machine, such as "myhome.html".

  9. A bank sharing something via Google Docs? You should be smart enough to not fall for that, right?

  10. http://nakedsecurity.sophos.com · 365 days ago

    phishing I get 1 a week & I don't bank on line I go to bank if need bank all the time say bank needs a update just go delete

  11. Compromised · 356 days ago

    okay, now that I fell for this trap what should I do? I've already emailed my conatcs of the situation and of course my email blew up today because my addess book got compromised. I can't believe my guard was down.

    • Chester Wisniewski · 355 days ago

      Immediately change your Google password is about all you can do. And be sure to enable 2-step verification with Google. You can use an SMS code or the Google Authenticator app on iOS and Android as a required second factor when logging into you Google account to discourage phishers from attempting to victimize you again.

  12. rocky biel · 325 days ago

    My account was compromised. But not only that they changed the phone number in the security feature which prevents resetting the pass word by SMS verification.. Google then takes 3 to 5 days to verify I am legitimate and potentially the account will come back . In the meantime the con artist is reading my incoming email and responding to my clients and friends with my name...I know now I will never use a service like Google if there is not a support
    that can rectify a breach in a timely manner.

  13. OK, I got one of these emails from my insurance agent, and clicked on it and signed in, and THEN got a follow-up email from him that his account had been hacked (sorry, it looked like it was real). So I just went and changed ALL my email passwords...what else can I do?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.