Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Challenges of Anti-Phishing Advice, the Google Docs Edition

Published: 2012-12-19
Last Updated: 2013-07-13 01:53:06 UTC
by Lenny Zeltser (Version: 1)
8 comment(s)

Coming up with meaningful anti-phishing advice is hard, in part because even the most pragmatic tips cannot be practical in all situations. Scams where the attacker's data-collection form resides at a Google Docs (now Google Drive) are especially difficult to warn users about. After all, the malicious webpage resides at the trusted domain. The effect is especially severe for organizations using Google Apps as a collaboration platform.

Using Google Docs for hosting phishing forms isn't new. F-Secure published several examples of such scams in May 2011; GFI shared additional screenshots in June 2011; Sophos outlined some examples in May 2012. 

To understand why such scams aren't going away any time soon, consider the example that came to our attention this month. The malicious email arrived with the subject "Message From I.T Service Helpdesk" and alerted the user, "Your mailbox is almost full."

Your mailbox is almost full

Recipientswho clicked the "CLICK HERE" link were directed to the following "IT HELPDESK SERVICE" page, which prompted for logon credentials that the attacker wanted to capture.

Google Docs URL

Although the landing page had a very basic look to it, it resided at the domain that most people trust: The attacker was likely using a compromised Google Apps account of another organization to create a Google Docs spreadsheet and expose its data entry form in the manner shown above.

The use of the Google domain is what lends credence to the phishing scams that make use of Google Docs. The targeted individuals can no longer rely on the advice we often give: Examine the URL bar to confirm that you are at a trustworthy site. This problem is especially severe for individuals whose organizations use Google Aps for email, calendaring and file management needs. In such cases, administrative communications are expected to come through or reside at the domain.

What anti-phishing advice could we offer to potential Google Docs phishing scam victims? There's the more general suggestion of being vigilant and looking out for anomalies, be they an unusual signature line in the email message or an unexpected look-and-feel of the web page. A more specific recommendation might be: Avoid clicking on email links when you need to take important actions that require logging in. Relying on a previously-saved bookmark is safer.

Is that practical advice? Not for all situations. This is what makes anti-phishing advice so challenging to provide.

-- Lenny Zeltser

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and . He also writes a security blog.

8 comment(s)
Diary Archives