Cybercriminals and attackers are leveraging Google Drive site and brand to go under the radar and avoid detection. Just last week, a targeted attack uses Google Drive as a means into getting information from its victims. This time, phishers are using a modified version of the legitimate Google Drive login page to steal email credentials. This attack can be considered an improved version of attacks seen earlier this year, which asked for multiple email addresses.
Fake Google Drive Site
Users may receive an email that contains links that lead to the spoofed Google Drive site.
Figure 1. Spammed message containing links to fake site
The phishing site allows user to log in using different email services, which is highly unusual as Google Drive only uses Google credentials. The site also has a language option that does not work.
Figure 2. Fake Google Drive site
To trick the user into thinking nothing suspicious is afoot, the phishing site redirects the user to a .PDF file from a legitimate site about investments. However, this redirection to a site about investments may still raise suspicions as nothing in the email indicates the specific content of the “document” is related to finances.
Figure 3. After logging in, users are redirected to a legitimate site
Looking at the Code
A quick look at its source reveals that the Chrome save tag can be seen. This means the phish author may have saved the source of the legitimate Google Drive login page and added malicious code. And since this site recycled code from Google Drive, all the checkers for proper entries are still in place. The phishing site will only accept email addresses in the proper format (e.g., <accountname>@<serviceprovider>.com). This is a marked difference from the earlier phishing pages, which accepted anything, even gibberish.
Figure 4. Code of phishing page reveals recycled code from Google Drive
If the user clicks the Sign In button, the credentials and the mail service are sent to a specific URL.
Figure 5. This screenshot shows all the related activity in the scheme, from the phishing page to the stolen information to the redirection
The phishing site appears to be a Chinese sports forum, indicating it may have been compromised.
Figure 6. Compromised Chinese site
Propagating Through Phishing
Judging from the screenshot below, cybercriminals are using the phished accounts to get more victims. It appears that this campaign must have been operating for at least three months now.
Figure 7. Phishing victims discuss how their accounts were used to spread the link
Mobile Users, Also Affected
Based on our investigation, this attack will also work on mobile devices. When users clicked the “Sign in” button, the PDF file download is prompted and the users’ credentials are sent out to the cybercriminals.
Figure 8. Screenshot of PDF prompt download in mobile devices
The following URLs, which are related to this attack, lead to https://ad[.]bfopay[.]com/pdf/doc2014/action.php:
It should be noted that as of this writing, all these URLs are inaccessible.
Protecting User Data
Users should exercise caution when opening emails, even those from known contacts. Avoid clicking links that are embedded in emails. Users can also check first by hovering their mouse over the link; doing so can reveal the true URL of the link in the status bar.
Users can also check the legitimacy of the site before sharing any personal data, be it login credentials or contact details. They can check if the site address has any discrepancy (misspellings, different domain names) from the original site (e.g., <sitename.com> versus <sitename.org>). They should also check the security of the site before sharing any information. One rule of thumb is that sites that use HTTPS are more secure than those that don’t.
Trend Micro protects users from this threat via its Smart Protection Network that blocks this phishing page thus preventing the risk of having user information stolen. Mobile users are also protected from this threat as our mobile products also block the malicious links.
We have notified Google about this phishing page.