Goin’ phishing. (Google/Yahoo Tech)

Billions of people trust Google to find information, manage their email, and store their documents. This makes Gmail and Google Drive the perfect tools for scammers who can abuse that trust to steal your personal information.

According to security firm Elastica, this is exactly what they’ve done. In a report released today, the company found that scammers had used Gmail to send emails designed to fool users into visiting a bogus website hosted on Google’s own servers. A hidden script on the Google Drive page captured their Google usernames and passwords, then redirected users to a genuine document (an academic paper) so victims would never suspect their information had been stolen.

Today’s exploit, if genuine, is similar to a scam from March 2014, researchers say. We’ve contacted security firm Symantec, which reported last year’s scam, but they had not responded by press time.

For Google’s part, a spokesperson from the company gave us this statement: “We’re constantly working to protect people from phishing scams through a combination of automated systems, in-product warnings, and user education. We’re aware of this particular issue and taking the appropriate actions.”

Elastica CEO Rehan Jalil told us the company used Google’s automated tool to warn the search giant about the vulnerability about two weeks ago. However, he added, Elastica didn’t follow up with Google before publishing its results. At publication time, the phishing websites were still live.

Elastica hasn’t said how many people have been exposed to the online trap, or if it’s even able to gauge that. But regardless, this is a clever example of a so-called phishing attack that tricks you into giving up valuable personal information, typically your username and password. In this case, the email, titled simply “Document,” states, “Hi. Please see the remaining document on Google drive,” and then provides a long link to click on.

Story continues

Once scammers have your Google credentials, they can log on to any service that uses your Google login, read your email, access personal files stored on Google Drive, reset the passwords to any other online service that has your Gmail address, and change your password so that you would be unable to log back in.

In other words, this is bad news. Fortunately, you can avoid falling prey to this scheme, and any similar, by abiding by the following guidelines.

Don’t trust any old email

Silly as it may sound, people often do mindlessly click on links in phishing emails, despite the frequently funky grammar and complete lack of relevance. One clever trick on the part of these likely cybercrooks is that the note comes from a Gmail address. This, according to Elastica, may have tricked Google’s spam filters into allowing the message to get through. (Otherwise, an email like this should scream “Scam!” to a half-decent spam filter, and Google’s filters are generally quite good.)

FAKE. (Screenshot: Yahoo Tech)

The takeaway: If you don’t recognize the sender of an email and have no idea what it’s about, for God’s sake, don’t click any links inside the message. People who did click this link still had another chance to escape, though the next step was far trickier.



Don’t casually provide usernames, passwords, or other info

Phishing attacks work because they send you to a bogus login page that looks like the real deal, though they’re usually hosted on a different URL than the legitimate site.

What makes this scam more sophisticated is that the link in this phishing email really does go to Google drive, where Google docs and other files are legitimately stored. However, the login page it shows visitors is a fake.

FAKE. (Screenshot: Yahoo Tech)

A careful look will reveal that something is fishy (or phishy). First, the scammers got the text wrong. Instead of, “One Account. All of Google,” the bogus page reads, “Google Drive. One Storage."

How people can put so much work into creating an exploit and so little into proofreading is baffling. But it’s a good thing that crooks so often make these goofs.

Double check the Web address

Then there’s the classic mark of a phishing page: a crazy URL.

Legit. (Screenshot: Yahoo Tech)

Instead of beginning with a nice, tight “https://accounts.google.com/,” the phishing page began with this gobbledygook: "https://c0ab3fcf375a…”

FAKE. (Screenshot: Yahoo Tech)

The lesson: If a link sends you to a login page, don’t fill it out. Open another browser window and type in what you know to be the correct page. For example, search for "Google Drive,” and follow that link. Log in there, instead. Also, again, beware of bad grammar.

Hidden code on the bogus page grabbed the login information and sent it to another server, not on Google Drive. Then it redirected the user to a legitimate, uninfected (if unexciting) document, a doctoral thesis from 2006 stored on the University of Maryland website.

Use Google’s two-factor authentication

If someone does happen to gain access to your Google credentials, either through phishing or by simply being a good guesser, two-factor authentication could be what stops them from actually getting into your account.

When you turn it on (and here’s how to do that), Google will require that not only a username and password be entered at login, but also a special code that will be text messaged to your phone. This system is being offered by more and more online services (including Yahoo!), and it’s really the best way you can prevent unwanted access to your accounts.

Essentially, trust no one

The overall lesson here: If something online looks at all unusual, the questionable email or website should be presumed guilty until proven innocent. Look for irrelevant messages, bad grammar and spelling, funky URLs, or anything else odd. And please, please, even if these scammers wise up and start using cute cat pictures in their phony emails (and God help us if they do), never just click on links willy-nilly. It’s not only bad for you, it’s bad for the rest of us, too. So long as phishers manage to fool one person in a thousand, they will continue to play their evil tricks.

Sean Captain is a freelance tech and science writer based in New York City. Follow him on twitter at @seancaptain or send tips to seantech@seancaptain.com.

