We see millions of phishing emails every day, but recently one stood out: a sophisticated scam targeting the login credentials of Google Docs and Google Drive users. The scam was recently discovered by Symantec.
The scam comes by e-mail, it does theme a simple “Documents” and invites the recipient to view an important document in Google Docs by clicking on the included link.
Of course, the link does not go to Google Docs, but it is supposed to go to Google by presenting a very convincing false login page to Google Docs:
The fake page is hosted on Google servers and is served through SSL, making the page even more convincing. Fraudsters have just created a public folder within a Google Drive account, uploaded a file, used the Google Drive Preview feature, and got a publicly accessible URL that they include in their messages.
This login page will look familiar to many Google users as it is now used across all of them services of Google. It mentions which service it gives access to, but that's a subtlety that many won't notice.
If someone clicks "Login", the user's credentials are sent to a PHP script located in a hacked web server.
This page then redirects to a real Google Docs document, making the whole attack very convincing. Google accounts are a valuable goal for phishers, since they can use them to access many services.