Symantec has uncovered a phishing scam aimed at Google Docs and Google Drive users, according to a blog post by Nick Johnston.
Users are sent an email with the word “Documents” as the subject and told to click a link to view a document on Google Docs. They are then taken to a phony login page that mimics the one used for Google’s online services. Log-in credentials are forwarded to a PHP script on a compromised server while the user is directed to a real Google Docs document. The scam is convincing, Johnston wrote, because the fake page is “hosted on Google’s servers and served over SSL.”
The phony page was generated by creating a folder inside a Google Drive account, then setting it to public and uploading a file. A URL is obtained by using Google Drive’s preview feature.