Google Docs – a full-featured, full-service phishing facility?


SophosLabs has come across two spam campaigns this weekend which rely on Google Docs as a “full-service” phishing back end.

We wrote about Google Docs phishing back in June last year, when the search giant’s cloud service was used to target users of Gmail itself.

These recent phishes, however, target two very different groups of users.

The first campaign is aimed at internet users of ANZ, one of the ‘big four’ Australian banks; the second is aimed at online users of the web portal of a large school in North America.

ANZ Bank has a strict policy to ensure that all our customer online banking details are secure and updated regularly. This is done for your own protection because some of our clients no longer have access to their online banking service due to fraudulent activities suspected by the bank management.

In order to make sure that your online banking experience is even more safe and secure, we have introduced a new security feature that allow us to detect any unusual activity on your account. So with regards to this development, to update, re-activate and verify your online banking account login details CLICKHERE


Thank for your understanding. We hope to serve you more better.

The email above takes you to the Google Docs form shown below:

Using Google Docs for phishing ‘surveys’ benefits the crooks in several ways.

* The web hosting for the phishing forms and the fraudulently-collected data is provided, free of charge, by Google.

* The Google Docs user interface provides a simply and snazzy front end for designing the form.

* Google Docs can automatically generate emails to prospective victims inviting them to click through to the phishing form.

* The results are automatically and conveniently collected into a password-protected spreadsheet, which can be retrieved from anywhere.

* The URL uses HTTPS, which gives it an aura of security.

* The URL takes you to a domain, which gives it an aura of legitimacy.

Of course, anyone can create a Google account, create surveys and collect results.

So, the security and legitimacy of the URL is important for legitimate users of Google’s services, but it doesn’t, by itself, vouch for the honesty and integrity of the account holder.

Nevertheless, despite the safe-looking URLs, phishes of this sort are easy to spot, and just as easy to avoid.

As we’ve explained many times on Naked Security:

1. Don’t click on links in emails which could have come from anywhere. If they could have come from anywhere, they probably did.

2. Even if it looks legitimate, never use any URLs, phone numbers or other ‘calls-to-action’ provided in a security-related email. Find your own way to the company’s website or support line.

3. If you’re a native English speaker, take a careful look for grammatical and spelling errors. Scammers often make give-away mistakes.

(Big banks spend a lot on appearance. They won’t write to say they hope ‘to serve you more better’, like the scammers did here. Better implies more, so the latter word is not needed. Of course, correct grammar doesn’t tell you that an email is legitimate. But careless errors like this almost always signal that an email is bogus.)

By the way, Google Docs forms include a Report Abuse link at the bottom. This link is generated in Google’s cloud, and so cannot be removed by a cybercrook.

So, if you find yourself on a form which you suddenly realise is bogus, you can easily report it so Google can take some action.

Naturally, this raises the question, how do you know the Report Abuse link is legitimate?

Firstly, if you copy the link and paste it into the address bar yourself, it will link back into Google’s cloud, something like this:

Secondly, when you report a dodgy link to Google, you won’t be asked to do anything except to categorise it. You won’t be asked for a username, password, email address, or any other personal information.

PS. Yes, the offending phishing URLs are blocked by Sophos products (Web Appliance, Email appliance and Endpoint Protection). And, yes, we’ve reported them to Google.