Number: IRCNE2015102670
Date: 2015/10/25
According to “itpro”, despite claiming to have fixed a security hole in Google Drive last year, criminals are still making use of a Google Drive phishing scam that can steal your email address and password in just a few taps.
Last year, it was revealed hackers were using fake Google Drive documents to force you to enter your email and password, but this year's attack seems to be more sophisticated.
You may receive an email from one of your contacts, granting you access to a document stored in Google Drive. Click on the link and you're taken to the normal Google Drive sign-in screen.
Then, after entering your username and password, you're asked to enter your verification - either your mobile phone number if you have one associated to your account, or your secondary email address.
When you've entered this information, you're forwarded to your Google Drive, but there's no document in sight. You've just had your details phished.
Symantec investigated into the flaw last year and found out the login page is actually hosted on Google's servers and is served on SSL, making it seem very convincing.
"The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly accessible URL to include in their messages," Symantec security expert Nick Johnston explained in a blog post.
However, it was reportedly fixed soon after, with Google saying: "We've removed the fake pages and our abuse team is working to prevent this kind of spoofing from happening again. If you think you may have accidentally given out your account information, please reset your password.
However, Chris Boyd, Malware Intelligence Analyst at Malwarebytes said using Google Docs to phish hasn't gone away and is still a popular way of stealing login details (and in this case, your phone number and secondary email too).
"More often than not, the contact details used in the emails are randomly lifted from websites, blogs and even other emails. If in doubt, try contacting the sender to confirm if what you're looking at is the real deal."
- 17