Phishing scammers are exploring new technique to conduct illicit activities, in the recent weeks we have already discussed on the efficiency to use Google Docs and Google Drive for phishing campaigns.
Google Drive popularity is significantly increased due an aggressive pricing policy, and the availability of premium Google Drive accounts pre-installed on many mobile devices.
Google Drive is considerable a privileged target, stealing Google credentials cyber criminals could access to the overall services provided by Google.
This form of phishing is surely more efficient of classic methods based on email messages, consider, in fact, that Google Drive phishing page is actually served over a secure SSL connection from the legitimate Google Drive service itself, this circumstance makes hard its detection to defense mechanisms.
Many users base their principal defense against phishing on the visual inspection of the URL, it’s a good habit but not enough to prevent them against this type of scam.
Symantec has recently published a blog post to alert users on a new sophisticated Google Drive phishing scam, also in this case scammers used a phishing message with a simple subject of “Documents” and containing a URL pointing to a phishing page hosted on the Google Drive file storage and synchronization service.
The particularity of this scheme is that phishers have faced with problems adding at the bottom corner of the page a language selection box. Users must be alerted by the fact that the items in the list have been inadvertently corrupted, as some language names are presented with a question mark on each side.
“This corruption is probably because Google lists languages in their native scripts: for example, Korean is listed in a language dropdown using the native Korean alphabet of Hangul: 한국어. When phishers saved a copy of the Google login page, they likely inadvertently changed the character encoding from UTF-8 to ISO-8859-1 (Latin-1), causing this corruption in the display.” states Symantec.
Unfortunately, victims ignore the problem to the Language selection box, they tend to underrate it and then proceed to login to the phishing site using their credentials to attackers.
Symantec experts noticed that stolen credentials are sent to a PHP script on a compromised server which redirects the victim to a document hosted on Google Drive.
The script name “performact.php” is the same used in previous Google Docs and Google Drive phishing scam, this circumstance suggests that the attackers behind the phishing campaign are the same or probably linked to the author of the principal attacks observed in the past months.
As explained by experts at Symantec this tactic could be used also for other illicit activities like malware distribution.
Once again, let me suggest you to enable Google’s two-factor authentication to reduce your exposure to this type of scams.
(Security Affairs – Google Drive, phishing)