There is a very tricky phishing scam that is making its way around the web. If you use Google Docs for business or even Gmail, please stay vigilant.
This phishing scam starts like many other phishing scams: with an email. The malicious message reportedly arrives with the subject line “Documents” or “Documents attached” and points to a Google Docs link. Again, it shows up in the address bar as a google.com domain and takes you to a fake log-in page that looks just like the real Google login page. This is how the hackers get you. Sincethe scam usea a google.com URL and even makes use of Google’s SSL encryption, it’s almost impossible to tell that it’s a hack. Your best safeguard, as always, is a little bit of common sense.
“The fake page is actually hosted on Google’s servers and is served over SSL, making the page even more convincing” – Symantec security expert Nick Johnston explained in a blog post. “The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive’s preview feature to get a publicly accessible URL to include in their messages.”
That’s the fake log in page pictured above to the left and a real Google log in page to the right. So if it seems strange that the browser lost your email address and you have to log in again, beware.
Once you log in through the fake page, you’ll even be taken to an actual Google Doc. Your credentials will be sent to PHP script on a compromised server. You may never even know they’ve been swiped. Unless, of course, you don’t fall for the scam in the first place.
To avoid being scammed just watch out for these things. One, be careful clicking links in emails. If you receive an email from someone you don’t know with a subject line like “Documents,” it’s probably up to no good. Second, if you show up at the log-in screen, you should notice that it doesn’t recognize you as a Google user (if you are a Google user).
If the email is from somebody you do know but your name is not in the email i.e. Hi John, and it something like “Dear Account user” etc., don’t even be curious who it is from – Just delete it.
Remember when your bank, PayPal, LinkedIn etc. email you, your name will be at the top of the page and they will not be asking you to log in or open an attachment and definitely not to click a link to verify details.
This attack, though clever, doesn’t reflect any particular weakness in Google Drive. Instead it exposes the obvious, but often forgotten downside to any cloud storage service; your data is no longer physically in your possession. Your data is hosted somewhere else, and you can only access it through a computer with Internet access. This presents many opportunities for tricks that compromise your account by stealing your login and password.
Locally hosted files, on the other hand, can only be stolen if a Trojan is installed on your PC or someone gains physical access to your hardware. Phishing attacks, hacked servers and compromised WiFi aren’t a concern for people who don’t host their data in the cloud. Google Drive, Dropbox or any other Cloud storage is not secure enough to store valuable or sensitive information.
You shouldn’t host all your financial records or client records in a Google Drive or in fact anywhere in the cloud or on a shared web server, unless your account is encrypted and has multiple-levels of security. Cloud storage is particularly vulnerable to the tricks and can also be compromised simply by forgetting to log out.
While nothing is ever 100% secure, a Google account should be secured by two-factor authentication, so we if you use Google Mail or Google Documents, please switch this option on in your Google account and stay safe.