Today’s exploit, if genuine, is similar to a scam from March 2014, researchers say. We’ve contacted security firm Symantec, which reported last year’s scam, but they had not responded by press time.
This...phishing attack via email, titled “Document,” states, “Hi. Please see the remaining document on Google drive,” ...
For Google’s part, a spokesperson from the company gave us this statement: “We’re constantly working to protect people from phishing scams through a combination of automated systems, in-product warnings, and user education. We’re aware of this particular issue and taking the appropriate actions.”
Elastica CEO Rehan Jalil told us the company used Google’s automated tool to warn the search giant about the vulnerability about two weeks ago. However, he added, Elastica didn’t follow up with Google before publishing its results. At publication time, the phishing websites were still live.
This is a clever example of a so-called phishing attack that tricks you into giving up valuable personal information, typically your username and password. In this case, the email, titled simply “Document,” states, “Hi. Please see the remaining document on Google drive,” and then provides a long link to click on.
Once scammers have your Google credentials, they can log on to any service that uses your Google login, read your email, access personal files stored on Google Drive, reset the passwords to any other online service that has your Gmail address, and change your password so that you would be unable to log back in.
Fortunately, you can avoid falling prey to this scheme, and any similar, by abiding by the following guidelines.
Don’t trust any old email
...One clever trick on the part of these likely cybercrooks is that the note comes from a Gmail address. This, according to Elastica, may have tricked Google’s spam filters into allowing the message to get through.