Advertisement

Gmail, Google Doc users threatened by hard-to-spot phishing scam

It’s yet another reminder about how careful you need to be when signing into those web pages we use every day.

A phishing scam, which is when you receive an invitation to click a fraudulent link that masquerades as a trusted website, targeted users of Google Docs and Google Drive last week, and has only just been resolved.

U.S. computer security company Symantec posted on its official blog last week that a new phishing scam was out there, and it was a very convincing one, too. According to the blog, users would receive an email with the subject line “Documents,” and the body of the email requested they view an important Google Doc by clicking the link. The landing page for the fake site looked like this:

When you compare it to the real login page for Google Docs, seen below, you can see why it’s a convincing scam:

Nick Johnston of Symantec explained further in the blog post why this particular scam was so insidious:

“The fake page is actually hosted on Google’s servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive’s preview feature to get a publicly-accessible URL to include in their messages.”

When users entered their Google login information, their credentials would be saved and sent to the people who set up the page, allowing them access to that person’s account.

[ Related: Find out how much your email is worth to a hacker ]

Gizmodo says that Google has notified it that the fraudulent page has now been removed. This was what Google said:

“We've removed the fake pages and our abuse team is working to prevent this kind of spoofing from happening again. If you think you may have accidentally given out your account information, please reset your password.”

While this particular phishing scam has been caught, it’s a reminder of two things:

1) Scammers are getting better at making their sites and URLs look like the real thing, which is more likely to dupe people not paying full attention when giving away their key login information.

2) Your login information is more powerful than ever before. With a single login that will get you into Gmail, Google Docs, the Google Play Store, YouTube and more, a scammer needs just one set of credentials to get into multiple accounts and start profiting off your unfortunate situation. This is even worse if you use the same password across multiple sites, or if your account is linked to your login for numerous other sites. Many sites now allow you to login with Facebook, for example, so if a scammer were to get your Facebook login, they could access all the sites you have associated with that account too.

The advice is always the same: Be cautious when you receive emails from senders you don’t recognize, and don’t click links inside those emails. Remember to change your password regularly.

(Top Image: Symantec blog post. Bottom Image: Screengrab from docs.google.com)

Need to know what’s hot in tech? Follow @YRightClick on Twitter!