More sophisticated phishing attack making the rounds

 

New phishing attack

Here's a look at an interesting phishing attack making the rounds. This attack features several unique characteristics. 

  • It creates the illusion of multiple account support. To some users this undoubtedly looks "more official"
  • It adds a "verify it's you" layer requesting a phone number or additional email address

Step 1: 

The original attack email

Original Attack Email, sent from PRevious victim's account

Step 2

The form to gather data aka "login page" with fake multiple account support. 

Click on the document takes the user to this fake "login page" which is actually just a form to capture more email addresses and passwords. 

The Form is a bit tricker than usual, creating the illusion of multiple account type support.

The Form is a bit tricker than usual, creating the illusion of multiple account type support.

Step 3

A sort of two step authentication spoof. This unusual request runs the risk of tipping off the User but could also yield additional juicy information for the attackers - phone numbers and additional email addresses. All of this information will be sold on the shady parts of the deep web and dark web

The attackers have taken an interesting next step. They ask for any phone number or additional email address.

The attackers have taken an interesting next step. They ask for any phone number or additional email address.

Step 4

This step has become a common practice, the User is redirected back to the real Google Drive site at https://drive.google.com 

This often creates the illusion that filling out the attackers from successfully authenticated to the User's Google Drive account but in reality they were already authenticated before ever clicking on the fake document. 

How do we know it's fake? 

  1. I wasn't expecting and hadn't requested any documents from this person. 
  2. The original attack email provides multiple clues
    • Odd sentence structure
    • Stange terms: 'Docu', 'DocDrive'
    • A Microsoft Word logo but a reference to Google Sheets
    • It doesn't look like an email from Google Drive, OneDrive, etc. 
  3. Click on the link prompts the user for a password - this is a huge red flag!
  4. The URL on the fake landing page is for an unrecognized site
  5. Once all the steps are followed, there's no document and the User is simply redirected back to https://drive.google.com

Google's response time

It only took Google a few minutes to identify this one. This below message has been added to the email in my inbox. 

This is a huge benefit of Cloud Computing, we are all working together to identify these attacks. 

Google proactively added this message to the email in my inbox