Beware of This Convincing Google Docs Phishing Scam

By Adam Clark Estes on at

A very tricky phishing scam that takes advantage of Google Docs is making its way around the web. And since it uses a google.com URL and even makes use of Google's SSL encryption, it's almost impossible to tell that it's a hack. Your best safeguard, as always, is a little bit of common sense.

This phishing scam starts like many other phishing scams: with an email. The malicious message reportedly arrives with the subject line "Documents" and points to a Google Docs link. Again, it shows up in the address bar as a google.com domain and takes you to a fake login page that looks just like the real Google login page. This is how the hackers get you.

"The fake page is actually hosted on Google's servers and is served over SSL, making the page even more convincing," Symantec security expert Nick Johnston explained in a blog post. "The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly accessible URL to include in their messages."

Once you log in through the fake page, you'll even be taken to an actual Google Doc. Your credentials will be sent to PHP script on a compromised server. You may never even know they've been swiped. Unless, of course, you don't fall for the scam in the first place.

To do this just watch out for two things. One, be careful clicking links in emails. If you receive an email from someone you don't know with a subject line like "Documents," it's probably up to no good. Second, if you show up at the login screen, you should notice that it doesn't recognise you as a Google user (if you are a Google user). That's the fake login page pictured above to the left and a real Google login page to the right. So if it seems strange that you have to log in again, beware.

Actually, just beware in general. These phishing scams are getting scarily sophisticated. We've reached out to Google to see what they're doing to safeguard users from this one. [Symantec via The Hacker News]