A Google Drive phishing scam from March is back, but contains a revealing gaffe.
A Google Drive phishing scam from March is back, but contains a revealing gaffe.

A particularly crafty and effective Google Drive phishing scam that was originally spotted by Symantec researchers back in March has experienced a resurgence here in May, but with one key difference – a page corruption that may set off red flags for would-be victims.

The same phishers seem to be at work here, Satnam Narang, a Symantec researcher, told SCMagazine.com in a Thursday email correspondence, explaining that, like before, users are directed to a phony Google Drive login page if they click on a link in an email with “Documents” as the subject.

Credentials are compromised if submitted on the phishing page and victims are then redirected to an actual document hosted on Google Drive, but careful users that look at the bottom right of the phony website, by the option to choose languages, may be tipped off to the scam due to a glaring issue.

“The options within the language selection box at the bottom of the page are corrupted,” Narang said. A Wednesday blog post by Nick Johnston, a Symantec researcher, contains pictures that show how most language names are bookended by question marks.

Aside from the question mark gaffe, the scam is particularly convincing because it uses the actual Google Drive platform, which serves up the phishing website over SSL, according to the post. Google did not immediately respond to a SCMagazine.com request for comment on why phishing pages could be served up this way.

Narang said that enabling two-step verification should help prevent unauthorized access to accounts.

“Getting user Google account credentials opens the door to [many services, including] Gmail, Google Drive, Google Plus [and] Google Wallet,” Narang said. “And that email can be used to reset passwords for other services you might use.”

In another Google Drive scam recently observed by Symantec, victims were redirected to a Brazilian website hosting a trojan detected as ‘Trojan Horse,' Narang added.