Pinterest Stumbleupon Whatsapp
Ads by Google

You get a link to a Google Doc. You click it, then sign in to your Google account. Seems safe enough, right?

Wrong, apparently. A sophisticated phishing setup is teaching the world yet another lesson about online security.

What is phishing, and how do scammers use it? What Exactly Is Phishing & What Techniques Are Scammers Using? What Exactly Is Phishing & What Techniques Are Scammers Using? I’ve never been a fan of fishing, myself. This is mostly because of an early expedition where my cousin managed to catch two fish while I caught zip. Similar to real-life fishing, phishing scams aren’t... Read More Basically, phishing means getting users to voluntarily type their username and password, often by using a false login page. Such pages are usually easy to spot for net-savvy users, but this recent example of phishing is noteworthy for how realistic the login page looked. It could have fooled just about anyone, and had a Google URL.

phishing-login-image

Here’s how it worked: victims got emails with the subject line “Documents.” The email itself contained what looked to be a link to the a Google Doc – complete with an actual “Google.com” domain – and pointed users to what looks like a legitimate Google login screen.

It’s not uncommon for users to need to sign in before seeing a Google Doc, so many dutifully typed their passwords. They were re-directed to an actual Google Doc, but their username and password weren’t used by Google: criminals recorded them instead.

Ads by Google

Google claims all such pages have since been taken down, but it’s still worth being vigilant. Don’t click links to Google Docs if you’re not sure of the sender. If you must, check that you’re logged into Google Docs before clicking through the link.

phishing-scam-google-docs

That will only protect you from this one incident, though, which brings us to the scary thing about this: it’s becoming harder and harder to advise people about security. We’ve previously outlined four ways to avoid phishing scams 4 General Methods You Can Use To Detect Phishing Attacks 4 General Methods You Can Use To Detect Phishing Attacks A "phish" is a term for a scam website that tries to look like a site that you know might well and visit often. The act of all these sites trying to steal your account... Read More , and it’s not altogether clear any of them would have helped in this case.

Google advises you change your password if you suspect you’re a victim. While you’re at it, we recommend you also lock down your accounts with two-factor authentication Lock Down These Services Now With Two-Factor Authentication Lock Down These Services Now With Two-Factor Authentication Two-factor authentication is the smart way to protect your online accounts. Let's take a look at few of the services you can lock-down with better security. Read More . With that turned on, getting your password won’t be enough for criminals to access your account – they’ll also need your phone.

Source: Symantec.com

  1. Bill
    March 30, 2014 at 4:40 pm

    Google 2-factor authorization (multifactor authentication) does work for landline phones BUT:

    A. Only for Google itself. As far as I can tell other products that integrate Google 2-factor authentication can't ask for that notification: you have to use the Google app. itself on a device to request and receive the code. (Please explain request process if you actually use Google 2-factor authentication via a landline for a non-Google product.)

    B. Only if: you (or someone) are at home; OR forward the line first; OR record the call (e.g., answering system) and immediately pick it up. Unless you live alone, note that a ringing phone may awaken others.

    SO, landline 2-factor authorization works well for a Google Mail security notification account (e.g., send password change notifications/if your Google or non-Google account is hacked/if you lose your phone/etc.) but not so well for your regular Google account.

    By the way, if you use the same device for both accessing the web and for requesting and receiving the authentication code you don't really have discrete 2-factor authentication. I.e., if your tablet itself is hacked then BOTH your password and your 2-factor authentication are compromised and both will remain so EVEN AFTER you remove the malware if the hacker takes certain actions (e.g., exempts their computer or adds/records one-time access codes) before you remove the malware.

  2. Bill
    March 30, 2014 at 3:28 pm

    Google 2-factor authorization (multifactor authentication) does work for landline phones BUT:

    A. Only for Google itself. As far as I can tell other products that integrate Google 2-factor authentication can't ask for that notification: you have to use the Google app. itself on a device to request and receive the code. (Please explain request process if you actually use Google 2-factor authentication via a landline for a non-Google product.)

    B. Only if: you (or someone) are at home; OR forward the line first; OR record the call (e.g., answering system) and immediately pick it up. Unless you live alone, note that a ringing phone may awaken others.

    SO, landline 2-factor authorization works well for a Google Mail security notification account (e.g., send password change notifications/if your Google or non-Google account is hacked/if you lose your phone/etc.) but not so well for your regular Google account.

    By the way, if you use the same device for both accessing the web and for requesting and receiving the authentication code you don't really have discrete 2-factor authentication. I.e., if your tablet itself is hacked then BOTH your password and your 2-factor authentication are compromised and both will remain so EVEN AFTER you remove the malware if the hacker takes certain actions (e.g., exempts their computer or adds/records one-time access codes) before you remove the malware.

  3. Sreeraj R
    March 27, 2014 at 12:02 pm

    Always watch the address.

  4. Rob H
    March 20, 2014 at 4:21 pm

    @dragonmouth: "Two-factor authentication does not work for those with land lines only."

    Not sure you'r right there, I have a set of single use backup verification codes for Google 2-factor auth. to use when I don't have access to the mobile app. (I've not checked whether you can rely entirely on those and not have the mobile aspect at all.)

  5. Fandroid
    March 19, 2014 at 8:33 pm

    What happens when you make your login page look too hipster.

  6. Steen
    March 19, 2014 at 8:18 pm

    When you say "It used a Google URL", are we talking about the redirect in Google's link gateway which just forwards you to the actual page or was it in fact hosted under the google.com domain?
    I think one of the best ways to spot that one is the lack of HTTPS and that's a trick a lot of savvies are trying to teach the less techy web users.

    Being able to completely replicate a webpage is not difficult. Most phishers are just not old enough to know their HTML and so everything looks extremely fishy and not many will fall for it.
    I could probably reproduce most login screens in less than an hour if I intended to. Getting something under Google's domain should be the story, not replicating a web page.

    • Justin P
      March 19, 2014 at 9:17 pm

      It was hosted on Google itself, and had a HTTPS URL.

    • Steen
      March 19, 2014 at 10:21 pm

      Ah, okay. Not bad then ^^

    • Ajay Raj
      March 20, 2014 at 7:30 am

      That's really interesting, how did they manage that? It wasn't a goo.gl link redirect or anything was it? Or did somebody actually hack Google servers and sneak in a script in the HTML? I can't wrap my mind around how they managed to get a secured https and a Google domain to be honest.

  7. dragonmouth
    March 19, 2014 at 6:18 pm

    So is the Google Signin page you have pictured in the article the real thing or is it a fake? Would have been nice if you clearly described how to detect the ersatz page.

    Two-factor authentication does not work for those with land lines only.

    • Justin P
      March 19, 2014 at 6:52 pm

      The one in the picture is the fake, but it might as well be the real one – they look identical.

      Honestly, I'm not sure how to detect the page, other than not opening emails with vague subjects and a link. That's why this one is so scary.

    • dragonmouth
      March 19, 2014 at 8:03 pm

      Yes, it is. For someone like me, who does not use Google services, getting an email with a link to a Google page may be easier to recognize as a scam than for someone who uses Google services all the time. And then there are the compulsive clickers.

      If the scam works on a Google page, it will work just as well on eBay, Amazon, Microsoft, etc. Pretty soon it will not be safe to click on any link.

Leave a Reply

Your email address will not be published. Required fields are marked *