Google Docs and Google Drive were the focus of a sophisticated phishing scam that we looked at two months ago and this technique is being used again. This scam is more effective than the millions of phishing messages we see every day because the Google Drive phishing page is actually served over SSL from the legitimate Google Drive service itself.
Most phishing mitigation focuses on visually inspecting the URL to make sure the connection is secure. And this is good advice, but this does not help prevent against this specific attack.
As in the past, the attacker's phishing message uses the simple subject of "Documents" and contains a URL pointing to a phishing page hosted on the Google Drive file storage and synchronization service:
Figure 1. Google Drive phishing page
However, this time the phishers have made a subtle mistake. At the bottom corner of the page, there's a language selection box. For someone who is attentive this might be a red flag that something is wrong. It appears the phishers have inadvertently corrupted the page, as some language names are presented with a question mark on each side:
Figure 2. Corrupted language selections
This corruption is probably because Google lists languages in their native scripts: for example, Korean is listed in a language dropdown using the native Korean alphabet of Hangul: 한국어. When phishers saved a copy of the Google login page, they likely inadvertently changed the character encoding from UTF-8 to ISO-8859-1 (Latin-1), causing this corruption in the display.
Many victims may not notice this corruption on the page because it is in a dropdown located in the corner and does not stand out. Even if a victim did notice the corrupted display, they might dismiss it as a minor bug or a problem with their own computer, and then proceed to login to the phishing site revealing their credentials to attackers.
Stolen credentials are sent to a PHP script on a compromised server:
This script has the same name (performact.php) that we saw in the original Google Docs and Google Drive phishing scam, suggesting that the same group of attackers (or at least the same phishing kit) is involved. The script redirects the victim to a document hosted on Google Drive.
We are surprised that attackers are still able to use Google Drive to phish people in this way. Shortly after we published our original blog post, Google reduced prices for Google Drive significantly which surely increased the number of people at risk. Smartphones are now also being sold with premium Google Drive accounts pre-installed, making Google Drive an even more enticing phishing target. Stolen Google credentials can be used to gain access to all of a victim's Google services, including Google Play for mobile for instance.
Not just phishing, but malware too
We continue to advise users to enable Google's two-factor authentication and to use up-to-date security software on endpoints and gateways.
Symantec.cloud Mail Security customers are protected through our anti-phishing and URL blocking technology while Symantec AV customers are protected by the following detection: