About two months ago, we had posted about a phishing scam who used the services Google Docs and Google Drive. She herself scam κυκλοφορεί και πάλι, αλλά αυτή τη φορά είναι πιο αποτελεσματική από τα εκατομμύρια των μηνυμάτων Phishing that we see every day, because the Google Drive phishing page is served over SSL by the legitimate Google Drive service itself.
Αυτοί που εξετάζουν αν μια σελίδα είναι phishing εστιάζουν περισσότερο στην οπτική επιθεώρηση του URL για να βεβαιωθούν ότι η σύνδεση είναι ασφαλής. Είναι μια καλή προσέγγιση, αλλά δεν θα βοηθήσει στην prevention against this specific attack.
As in the past, the intruder's phishing message uses a simple Google Docs theme and contains a URL pointing to a phishing page hosted on the Google Drive file storage:
Figure 1. Google Drive phishing page
However, this time the phishers they have made a small mistake. In the bottom corner of the page, there is a language selection window. For someone who is careful this could be a red flag that something is wrong. It looks like phishers accidentally defaced the page, as some language names are presented with a question mark on each side :
Figure 2. Damaged language options
This corruption is probably because Google lists the languages as it is in the speaking countries: for example, Korean is listed in the Korean language with the Hangul alphabet: 한국어. When phishers stored a copy of the Google page, they probably did not use character encoding in UTF-8 but ISO-8859-1 (Latin-1), which causes this error in fonts.
Many of the victims can not see this error on the page because it is at a corner and is not visible. Even if the victim notices the wrong fonts, he may think it is a small bug or a problem with their own computer.
Stolen credentials are sent to a PHP script located on a broken server:
According to Symantec, this script has the same name (performact.php) that we saw in the fraud we published two months ago, suggesting that the attack group is the same (or at least using the same phishing packet). The script redirects the victim into a document hosted on Google Drive and is designed to send credentials to the attackers.