Billions of people trust Google to find information, manage their email, and store their documents. This makes Gmail and Google Drive the perfect tools for scammers who can abuse that trust to steal your personal information.
According to security firm Elastica, this is exactly what they’ve done. In a report released today, the company found that scammers had used Gmail to send emails designed to fool users into visiting a bogus website hosted on Google’s own servers. A hidden script on the Google Drive page captured their Google usernames and passwords, then redirected users to a genuine document (an academic paper) so victims would never suspect their information had been stolen.
Today’s exploit, if genuine, is similar to a scam from March 2014, researchers say. We’ve contacted security firm Symantec, which reported last year’s scam, but they had not responded by press time.
For Google’s part, a spokesperson from the company gave us this statement: “We’re constantly working to protect people from phishing scams through a combination of automated systems, in-product warnings, and user education. We’re aware of this particular issue and taking the appropriate actions.”
Elastica CEO Rehan Jalil told us the company used Google’s automated tool to warn the search giant about the vulnerability about two weeks ago. However, he added, Elastica didn’t follow up with Google before publishing its results. At publication time, the phishing websites were still live.
Elastica hasn’t said how many people have been exposed to the online trap, or if it’s even able to gauge that. But regardless, this is a clever example of a so-called phishing attack that tricks you into giving up valuable personal information, typically your username and password. In this case, the email, titled simply “Document,” states, “Hi. Please see the remaining document on Google drive,” and then provides a long link to click on.
Once scammers have your Google credentials, they can log on to any service that uses your Google login, read your email, access personal files stored on Google Drive, reset the passwords to any other online service that has your Gmail address, and change your password so that you would be unable to log back in.
In other words, this is bad news. Fortunately, you can avoid falling prey to this scheme, and any similar, by abiding by the following guidelines.
Don’t trust any old email
Silly as it may sound, people often do mindlessly click on links in phishing emails, despite the frequently funky grammar and complete lack of relevance. One clever trick on the part of these likely cybercrooks is that the note comes from a Gmail address. This, according to Elastica, may have tricked Google’s spam filters into allowing the message to get through. (Otherwise, an email like this should scream “Scam!” to a half-decent spam filter, and Google’s filters are generally quite good.)
Comments
Post a Comment