Phishing page hosted on Google: A true dog-bites-man scam

This is not the Google Docs login page you're looking for.
Symantec
With literally millions of phishing scams crossing the wires each day, media reports about individual ones are the quintessential dog-bites-man stories that are rarely worth the time of writer or reader alike. Every now and then, though, one comes along that's clever enough to make it rise to the top of the massive steaming pile of messages. To wit: one recently caught by researchers from Symantec.
The phishing attempt shows up as an e-mail with the subject "Documents" and advises the recipient to view important files stored on Google Docs. It includes a link in the body. So far pretty banal stuff. But it gets better. As Symantec researcher Nick Johnson writes:
The fake page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly accessible URL to include in their messages.
This login page will look familiar to many Google users, as it's used across Google's services. (The text below "One account. All of Google." mentions what service is being accessed, but this is a subtlety that many will not notice.)
It's quite common to be prompted with a login page like this when accessing a Google Docs link, and many people may enter their credentials without a second thought.
After pressing "Sign in," the user’s credentials are sent to a PHP script on a compromised web server.
This page then redirects to a real Google Docs document, making the whole attack very convincing. Google accounts are a valuable target for phishers, as they can be used to access many services including Gmail and Google Play, which can be used to purchase Android applications and content.
With all the attention on zero-day exploits that surreptitiously install malware with little or no user interaction, it's easy to forget that one of the biggest threats we face is our own gullibility. Most people reading Ars are experienced enough to spot phishing attempts, but the campaign Symantec reported is one I could see my friends or relatives falling for, especially if they were tired, rushed, or otherwise not paying close attention.
When signing in to any service that wants a password, it's never a bad idea to slow down and take a close look, not only at the URL in the address bar, but also at the particular service being logged into. As Johnson points out, there are almost always subtle but crucial warnings when a scam is afoo

No comments:

Post a Comment