Please leave your credit card number, its expiration date and security code, along with your full name and billing address in the comments section of this blog post. You’re obviously not going to do this. You know better, I know better, but there are those who don’t. So many, in fact, that scammers are not only comfortable with and willing to invest in scams no more or less complicated, but they are also confident that the scams will succeed.

Such is the case for a familiar social engineering campaign with a new twist. Securelist’s Vicente Diaz details an email-based scam in which attackers are attempting to pilfer various sensitive data simply by asking for it in a Google Doc attached to a phishing email. As has been a hallmark of traditional email-based phishing campaigns, the malicious link, which in this case leads to a Google Doc, is delivered via an email whose text is written in poorly constructed language. Diaz used an example written in Spanish.

Diaz initially thought the method was a novel one, but he quickly realized the Google Doc technique has already caught-on, in part because of the ease with which Google Docs bypass security products. Diaz notes that the method is also potent due to the seemingly legitimate appearance of Google Docs among victims.

Historically, the malicious links embedded in emails would lead to compromised websites serving malware or to domains masquerading as social media, banking, or other online login pages in order to steal credentials. However, in this case, the questionable link leads to a Google Doc, malicious only in its requests: asking for the usernames, email addresses, passwords, and dates of last access from its victims.

Diaz’s isn’t completely certain what the attackers are after, but he believes they are attempting to steal email authentication credentials.

For those of you unacquainted with how Google Docs work, recipients of a Doc input information, save it, and the updated document is automatically sent back to the Doc’s creator.

Diaz warns this is only the beginning. While Google Docs are a convenient medium for duping the unsuspecting into disclosing information they shouldn’t disclose, they are also convenient for hosting more malicious content like malware and executables.

Categories: Web Security

Comments (6)

  1. Anonymous

    Is this really new to threatpost?  We’ve been experiencing these through most of the year at my place of business.  Sadly, we are guaranteed that at least a few of our users will give up their credentials whenever we see one of these.

    The most frustrating part is that we can’t call Google and ask them to take the Obvious Just By Looking phishing site down.  The only recourse you have is to click the “this page is bad” link at the bottom of the page.

    IMHO, Google isn’t holding up their end of the deal here.  They’re facilitating credential and/or identity theft by not helping us get these sites taken down asap.

  2. David

    If I’m not supposed to give anyone my CC number then how is it ok for me to purchase an X for $Y with it? The next variant of this scam is to cold call asking for a donation to a charity, get all the CC information for that $1 donation. Don’t bother ever making the charge, the person will forget they made the donation and you have all the information you need.

    CC’s are fundamentally insecure because there is no secret, and thats not a secret. The only things consumers need to do is regularly review their transaction activity.

  3. Anonymous

    Shocking that anyone would fall for this.


    In response to the first post on Thur 10-18-2012 5.25pm:- Just reading your comment made me frustrated with these users so I can only imagine your annoyance. However this example does highlight how important good security policy training is to an organisation and how vital it is to keep the business secure. After all, most of the time the weakest link in securty are the users themselves.

  4. sec-dude

    The best risk management approach to such risks is avoidance.

    Alas, lots of companies do not have internal regulations or tools to limit access to pastebins, untrusted online collaboration tools etc.


Comments are closed.