We see millions of phishing messages every day, but recently one stood out: a sophisticated scam targeting its users' login credentials Google Docs and Google Drive. The scam was recently discovered by Symantec.
Fraud comes with e-mail, has a simple “Documents” subject line and invites the recipient to view an important document in Google Docs by click in the included link.
Of course, the link does not go to Google Docs, but it is supposed to go to Google by presenting a very convincing false login page to Google Docs:
The fake page is hosted on Google servers and is served through SSL, making the page even more convincing. Fraudsters have just created a public folder within a Google Drive account, uploaded a file, used the Google Drive Preview feature, and got a publicly accessible URL that they include in their messages.
This login page will look familiar to many users of Google, as it is now used in all Google services. It mentions which service it gives access to, but this is a subtlety that many will not notice.
If someone clicks "Login", the user's credentials are sent to a PHP script located on a hacked web server.
This page then redirects to a real Google Docs document, making the whole attack very convincing. Google accounts are a valuable goal for phishers, since they can use them to access many services.