Phishing websites are one of the most widely used online scams we know of in the endless war for cybersecurity, and it’s not exactly news to hear about yet another popping up in an already overcrowded market of millions of other imitators and copycats who do the same thing.
That in mind, what makes this new Google Docs-based attack of particular interest to researchers is that instead of going the classical route and filling the URL with a link to one kind of spyware or another, this link actually leads to a real version of the Google Docs filesharing platform, with the payload hidden inside behind a seemingly innocuous SSL-protected barrier.
“The fake page is actually hosted on Google’s servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive’s preview feature to get a publicly accessible URL to include in their messages.
This login page will look familiar to many Google users, as it’s used across Google’s services. (The text below “One account. All of Google.” mentions what service is being accessed, but this is a subtlety that many will not notice.)”
Essentially the people behind the attack just hosted the file in a public Google Docs folder, and waited for the flies to eventually come to roost. Once an unsuspecting user logs in to view the document, their credentials are captured by the program and sent back to a command and control center over Google’s secure protocol.
All in all it’s actually quite clever, and could definitely have the potential to trick more than a few users who aren’t paying close enough attention to what they’re doing into accidentally handing over their username and password through a search engine they’ve trusted until now.