Okay, I’ll admit it. I have, on more than one occasion, been curious if I could “phish” some personal data from people on the web. Every time I get a message telling me that the deported Prince of Nigeria needs help, or that pretends it’s sent me a PayPal payment, or even that just wants me to enter my personal information to watch some unbelievably hilarious video, I think, “What idiots fall for this?” But we all know the answer is, “Quite a lot of them.”
Phishing is very popular because it works. In the expanding world of the web, there are so many “learn as you go” areas for users that it’s impossible to recognize some phishing attempts outright. That’s especially true since cyber-thieves now have access to so many free and believable resources. One of the most valuable tools that phishers have right now is Google Docs.
Why? One perfect example is seen in a recent phishing attempt that circulated the web. Here’s a brief excerpt from that message that requested that Gmail users confirm their account to prevent having it shut down:
To confirm your account kindly fill the account verification form. After Following the instructions in the sheet, your account will not be interrupted and will continue as normal. Thanks for your attention to this request.
Believable? Well, those who pay close attention can see the improper capitalization of “Following,” as well as a few other errors throughout, but that may not be enough to counter what comes next: a link to a Google.com site. As anyone who knows the basic anti-phishing procedures can tell you, one of the primary things to look out for is domains hosted on an outside site. But phishers can overcome this precaution by using Google Docs.
By using Google Docs, phishers can host forms on a Google.com address, confusing both users and even some basic security software. Google’s new technologies may be great for users, but they’re also a great gift to the phishing community.
[via Naked Security]