Google Docs Phishing Campaign is Frighteningly Accurate

By on Mar 21, 2014

Gmail users beware: a very convincing, very deceitful, phishing scam has been making its way around the Internet. The scam targets Google Doc and Google Drive users with a lookalike login page designed to steal your username and password. With 425 million active monthly Gmail users, these “phishermen” have cast quite a large net.

Before we get into the details of this scam, let’s have a little refresher: A phishing scam is a ploy that tricks you into entering sensitive data, like usernames, passwords and bank account information, by emulating a familiar website. These scams can take a variety of forms, though they’re often introduced through email, text messages or social media sites. Phishing scams can have varying levels of complexity, such as the intricate Netflix phishing scam I wrote about earlier this month, but they all center around one thing—tricking you into willingly giving away your personal information.

The Google Docs phishing scam is a textbook example: it aims to trick you into handing over sensitive login details, and it does exceptionally well. The scam starts with an email referring to an “important document” stored on Google Docs. Clicking on the link in this message will take you to what appears to be a Google Docs login page—but it’s not. This fake login page allows scammers to collect your username and password for their own malicious use.

Unfortunately for Gmail users, the page in this case is remarkably convincing—emulating Google’s typical login page. And here’s the clincher: because this scam is hosted on Google’s servers (the scam is, after all, a public folder on Google Drive) it effectively sidesteps one of the more reliable ways to detect a phishing scam. Generally speaking, phishing URLs are one or two characters different from the official website that they’re masquerading as. To top things off, because the scammers were hosting this attack on Google’s servers, the URL appears to be secure.

This attack on Google Doc users is especially troubling as Google uses a single login across all of their services. If the scammers successfully obtained login credentials for your Google Docs, they’d also be able to access your email, Chrome browsing history (including searches), YouTube account, and perhaps even be able to make purchases through the Google Play store if you’ve previously registered your payment information.

Despite the sophistication of this scam, there’s light at the end of the tunnel. After its discovery earlier this week, Google has successfully removed the phishing pages. They’ve also stated that their “abuse team is working to prevent this kind of spoofing from happening again.”

While this particular attack seems to have been vanquished, phishing scams in general are on the rise. By being aware of how these scams operate, and how to detect them, you’re well on your way to protecting yourself from the Internet’s many bad guys. Follow the steps below to help avoid falling victim:

  • Double check your URL address. Most of the time, a phishing URL will have some reference to the entity it’s pretending to be, but with some form of variation. For example: www.google.com will take you to Google; www.googl.e3921.com (as an example) will take you to a crash page—but it could also take you to a phishing scam website. That being said, do be aware that the scam described above uses a legitimate Google URL and could trick even the most thorough of skeptics.
  • Don’t send banking or login information via email or text. Professional services will never ask you to send sensitive information over email or text messages. They just don’t. At the bare minimum, they’ll ask you to sign into your account on their website (remember to check the URL) in order to address any sensitive information. If you’ve received an email asking for transmittal of financial or login details via email, you’d be wise to delete it.
  • Watch the links. Be wary of clinking on links sent to you over email, text message or social media sites. Most are harmless, but the ones sent to you by someone you don’t know, or a business that you didn’t sign up for, could send you to a malware-infested site. McAfee® SiteAdvisor®, which comes with McAfee LiveSafe™ service, provides color-coded ratings on the safety of your browser’s search results and external links found in your Facebook and LinkedIn news feed when viewing from your PC or Mac. It will also provide a warning message after you click, but before taking you to the site, if the link appears harmful.
  • Install comprehensive security software. As always, practice caution, and protect yourself online with comprehensive security services like McAfee LiveSafe. It will help block spam and dangerous email, as well as guard against malware and viruses on your PCs, Macs, smartphones and tablets.

Gary Davis

About the Author

Gary Davis

Gary Davis was previously McAfee's Consumer Security Evangelist providing security education and advice to businesses and consumers. He is a sought-after speaker on trends in digital security, appearing at conferences and events, as well as security and consumer lifestyle broadcast outlets and publications such as ABC, NBC, FOX, the Wall Street Journal, USA Today, Money ...

Read more posts from Gary Davis

  1. Unfortunately I received this phishing virus from a trusted person and opened the link. Everyone should be aware that Google Docs will never ask for your password when opening a google doc. I was distracted and not paying attention when it got to that part of the scam. Again can't emphasize enough that no one should ever ask for your password. I should certainly have known better. For me I needed to change my password but this particular virus actually went into my filters and put a filter to delete all incoming mail with my address. Again it took my half a day to realize I wasn't receiving any mail to figure out that I had this unwanted filter.

    Google should absolutely do more alerts to let its customers know about these well known viruses that have been out there for awhile, especially for those of us using paying for Google Business. It was embarrassing as much as it was annoying.

  2. I received something like this from my sister-in-law — it went to my various Google addresses — asked for a password and when I submitted it showed me a multi-page PDF. Worst part is I replied to the email and got an answer that read like a non-English speaker may have written it. So I called her and immediately changed my password.

  3. I have just received this email from someone who could have been sending me a document. I clicked the link and logged in with email address and password but went no further as I smelt a rat. I immediately went into my gmail account and changed the password so I hope this will have prevented any problems.

  4. I did fall for this to and it was sent to me by a contact. Fortunately I emailed him back to tell him I was not interested and he emailed back to tell me he was hacked. I was able to change all passwords before any damage was done.

  5. Fell for this while waiting for a document from a book reviewer. The virus sent off emails to entire contact list, then deleted the entire contact list (was able to recover using Yahoo's recovery process) and deleted two days worth of emails from Inbox. Live and learn.

  6. I was just a total idiot and fell victim to this exact scam about an hour ago. The message came from my landlord so I opened it up because I was interested in knowing what she had to say….could it be info about needed to relocate?…who knows.

    It wanted my email address, password AND telephone #. I did gave that info. away, I am so DUMB! Once I entered in my info. the link dumped me onto some random 'Invest in Art' page with a URL address of saatchiart.com. I have no idea what that page is all about but I'm scared to go on it since I'm on my work computer. Gah!

    I've changed my password and other info. I informed Google about a phishing scam and the message has disappeared otu of my spam box. I contacted my landlord to fill her in on this. Now I have to play cleanup with my contacts list. I'm still unsure if my info. has been compromised. I am still able to sign in so hopefully I changed my password in time and these scammers are still locked out.

  7. I fell for this scam hook line and sinker, entered my login credentials and I have emails with sensitive information. I realized my mistake shortly after and immediately changed my password. I do have 2-step verification for unrecognized devices. Am I OK?

    • Two-factor authentication will increase your level of security. It was also a great idea of yours to change your password right away. Be sure to spread the word on this scam to keep others safe!

      • I did exactly the same thing, quickly changed my password. Would I be affected?

        Thanks

  8. May 2015 – this scam is still alive and well! I received an email from my real estate agent – with a Google Doc link for an offer document… These guys are sneaky

    • Yes this is still happening! Everyone on my contact list and anyone I had ever emailed received this email from me 🙁 not a good look for my business!!!

  9. Ughh I just got this today, and it was from someone I was expecting to receive important documents from. So, yeah, it's still out there, and yes, Google really should send out emails to all users to be aware of this.

  10. Same thing happens to me as ester this week. One of my contact informed me that he received it from me and advise me to change my password. I have a few question:
    Do I have to change my password for everything I have a password or just gmail?
    Will they go through all my email to find password?
    What about confidential bank info?
    Do I have to delete every single email with sensitive info such as password or bank info.
    How do I restore my contact?
    Where can I get professional help?

Subscribe to McAfee Securing Tomorrow Blogs