Coming up with meaningful anti-phishing advice is hard, in part because even the most pragmatic tips cannot be practical in all situations. Scams where the attackers data-collection form resides at a Google Docs (now Google Drive) are especially difficult to warn users about. After all, the malicious webpage resides at the trusted google.com domain. The effect is especially severe for organizations using Google Apps as a collaboration platform.
Using Google Docs for hosting phishing forms isnt new.F-Secure published several examplesGFI shared additional screenshotsSophos outlined some examplesin May 2012.
To understand why such scams arent going away any time soon, consider the example that came to our attention this month. The malicious email arrived with the subject Message From I.T Service Helpdesk and alerted the user, Your mailbox is almost full.
Recipientswho clicked the CLICK HERE link were directed to the following IT HELPDESK SERVICE page, which prompted for logon credentials that the attacker wanted to capture.
Although the landing page had a very basic look to it, it resided at the domain that most people trust: google.com. The attacker was likely using a compromisedGoogle Apps account of another organization to create a Google Docs spreadsheet and expose its data entry form in the manner shown above.
The use of the Google domain is what lends credence to the phishing scams that make use of Google Docs. The targeted individuals can no longer rely on the advice we often give: Examine the URL bar to confirm that you are at a trustworthysite. This problem is especially severe for individuals whose organizations use Google Aps for email, calendaring and file management needs. In such cases, administrative communications are expected to come through or reside at the google.com domain.
What anti-phishing advice could we offer to potential Google Docs phishing scam victims? Theres the more general suggestion of being vigilant and looking out for anomalies, be they an unusual signature line in the email message or an unexpected look-and-feel of the web page. A more specific recommendation might be: Avoid clicking on email links when you need to take important actions that require logging in. Relying on a previously-saved bookmark is safer.
Is that practical advice? Not for all situations. This is what makes anti-phishing advice so challenging to provide.
-- Lenny Zeltser
Lenny Zeltserfocuses on safeguarding customers IT operations at NCR Corp. He also teaches how toanalyze malwareat SANS Institute. Lenny is activeon Twitterand writes asecurity blog.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.