New phishing attack
Here's a look at an interesting phishing attack making the rounds. This attack features several unique characteristics.
- It creates the illusion of multiple account support. To some users this undoubtedly looks "more official"
- It adds a "verify it's you" layer requesting a phone number or additional email address
The original attack email
The form to gather data aka "login page" with fake multiple account support.
A sort of two step authentication spoof. This unusual request runs the risk of tipping off the User but could also yield additional juicy information for the attackers - phone numbers and additional email addresses. All of this information will be sold on the shady parts of the deep web and dark web.
This step has become a common practice, the User is redirected back to the real Google Drive site at https://drive.google.com
This often creates the illusion that filling out the attackers from successfully authenticated to the User's Google Drive account but in reality they were already authenticated before ever clicking on the fake document.
How do we know it's fake?
- I wasn't expecting and hadn't requested any documents from this person.
- The original attack email provides multiple clues
- Odd sentence structure
- Stange terms: 'Docu', 'DocDrive'
- A Microsoft Word logo but a reference to Google Sheets
- It doesn't look like an email from Google Drive, OneDrive, etc.
- Click on the link prompts the user for a password - this is a huge red flag!
- The URL on the fake landing page is for an unrecognized site
- Once all the steps are followed, there's no document and the User is simply redirected back to https://drive.google.com
Google's response time
It only took Google a few minutes to identify this one. This below message has been added to the email in my inbox.
This is a huge benefit of Cloud Computing, we are all working together to identify these attacks.