Scammers just found a new phishing lure to play with: Google Drive. A flaw in the Drive is being exploited to send out seemingly legitimate emails and push notifications from Google that, if opened, could land people on malicious websites. The scam itself is nothing new—messages asking you to click on dodgy links are as old as the internet itself—but could catch a lot of people off guard.
This story originally appeared on WIRED UK.
The smartest part of the scam is that the emails and notifications it generates come directly from Google. On mobile, the scam uses the collaboration feature in Google Drive to generate a push notification inviting people to collaborate on a document. If tapped, the notification takes you directly to a document that contains a very large, tempting link. An email notification created by the scam, which also comes from Google, also contains a potentially malicious link. Unlike regular spam, which Gmail does a pretty good job of filtering out, this message not only makes it into your inbox, it gets an added layer of legitimacy by coming from Google itself.
The success of email spam filters has left scammers looking for new ways to get people to click on malicious links. And Google Drive is pretty accommodating. By default, Drive wants you to know when someone has mentioned you on a document. In a work setting, this could be a colleague asking you to check over a slide in a presentation or a brief for a new project. For scammers, it’s a clever way of putting a malicious link right in front of a potential victim.
The scammers are working their way through a huge list of Gmail accounts, with scores of people reporting similar versions of the attack in recent weeks. One of the scam notifications received by WIRED linked to a Google Slides document that had been created by a Gmail account with a Russian name. The document’s edit history showed it had been copied from another document and was constantly being edited, suggesting that scammers were duplicating the scam and adding more people to try and lure in new victims. WIRED contacted the Gmail address linked to the scam document but received no reply. The scam document has since been deleted for violating Google’s terms of service.
People targeted by the scam receive Google Drive notifications and emails in Russian or broken English asking them to collaborate on documents with nonsense names. These documents always contain a link to a scam website. One of the websites used for the scam, which was only registered on October 26, bombards people with notifications and requests to click on links to deals and prize draws. Other versions of the scam try to lure people to click on links to check their bank account or to receive a payment.
It might not be elegant but the scam is effective in getting malicious links into people’s inboxes and mobile devices. “Link delivery is always a challenge,” says Jake—@JCyberSec_ on Twitter—an independent cybersecurity researcher who has been tracking phishing campaigns for five years and who was also targeted by the Drive scam. “Emails are closely monitored and scanned by systems meaning a huge number of spam emails are detected before delivery,” he says – but Google Drive offers no such protection. “Threat actors are always attempting to find new delivery methods,” Jake says. And on mobile the phishing method could be particularly effective. “Mobile targeted phishing is on the rise as there are less security controls,” he adds.
A Google spokesperson says the company has measures in place to detect new spam attacks and stop them, but that no security measures are 100 percent effective. The spokesperson adds that Google is working on new measures to make it harder for Google Drive spam to evade its systems. Anyone targeted by the scam can report it to Google via the company’s support page.