Cybercriminals are taking advantage of legitimate services as much as they can to ensure the success of their phishing schemes. A perfect example is a scam that relies on Google Docs in order to steal the login credentials of Spanish speaking users.
Kaspersky experts have identified a malicious email entitled “Security alert” that claims to come from the system administrator. Presumably, the emails target the employees of major companies who are accustomed to receiving notifications from the IT department.
The trick is that, unlike other similar campaigns, the links from the alert don’t point to a malicious domain registered especially for the occasion, but to a Google Doc that’s hosted by the search engine giant.
Here, potential victims are presented a form that requests them to provide their usernames, email addresses, passwords and the date of their last login.
The fact that the attackers use Google Docs has several advantages. First of all, the email will most likely bypass any spam filter, since the links it contains point to google.com.
Furthermore, they don’t need to set up a server to collect the information, since the details input by the victim are sent directly to the Doc’s owner.
“But this is just the tip of the iceberg,” Kaspersky Lab Expert Vicente Diaz explains
. “Google Docs allows hosting other contents such as executable files in different formats, resulting in a very convenient and free hosting service for malicious content. As a bonus the connection is HTTPS by default, making it even more convenient for cybercriminals the use of this service.”
By leveraging legitimate services, cybercriminals can fly under the radar and ensure that their malicious webpages remain online for longer periods. That’s why such practices are becoming more common these days.
Users who come across such phishing pages are advised to report them by using the special reporting tools made available on Google Docs.