I just received an email from a friend. The subject was “INVITATION” and the contents of the email simply contained the words “[name withheld] has sent a message regarding the following document: [withheld] Invitation Hello guys, remember to login and check it out.” I removed the name and other personal information to protect the innocent. I hadn’t heard from this person in a while but everything on quick scan looked legitimate. And, I almost submitted my personal login information on a site that also looked legitimate. But then I stopped. Something didn’t feel right. Here’s why I stopped in my tracks and why I now know it was a Google Docs Phishing Scam.
Update 5/3/17 – A new version of this is making the rounds. But Google is addressing it!
I’m going to dissect this a bit. And the order listed below doesn’t actually represent the order of actions that I did. I will put “warnings” that people should look for if they receive something they think is an email phishing scam.
The image above shows the email that I received. It looked almost familiar. It was very similar to other Google Doc notifications I had received in the past. It showed the person’s name as well as a project or site that I was familiar with. Warning #1 – there was no photo of the person in the email. While this isn’t that big of a warning, many people on Google Docs do have a profile picture.
I inspected the senders email address. It was actually the proper one. I looked at the email headers. They showed that it was “sent” from mx.google.com so that looked legitimate as well.
While my next real action was actually (and stupidly) to click through the email link of the “invitation” which in hindsight, is probably not the best course of action. I actually did click through and started to fill out the form I was presented within (image a bit later on in this article) and then I stopped. And I started the forensics.
I looked back at the email and held my mouse over the “invitation link.” You can see the link in the image below (I will not be putting the link as an active link in this article.) Warning #2 – link is NOT Google Docs.
The link shows “trakanmedia DOT com”. You can see the WHOIS information for that site below:
The URL in the email immediately redirects to another site, the one that hosts the Google Docs Phishing Scam form. The site domain is “interesting DOT am” and it goes to a longer URL. Warning #3 – link in email immediately redirects to a completely different domain. Below is the WHOIS for this other site.
This Google Docs Phishing Scam is so simple, it almost worked!
The site looks quite legitimate. It has the look and feel of a valid Google Docs login page. And once I stepped back and thought about this, I knew I had come across a Google Docs Phishing Scam. Here’s what the page looks like:
There are many warnings here. Warning #4 – none of the other links on the site actually are active. “Help” links and the links in the footer do not go anywhere (they just have a “#” link to make them active). Also, normally if you go to a Google Docs login, you will not be prompted to enter in other types of email addresses (at least I don’t think you do). Warning #5 – form tries to capture ANY email and password.
I decided I would look at the domain itself. When I stripped off the trailing path from the domain and went to the root, I saw that the site was “coming soon” and was a long way off. This seemed odd since the form was actually active despite the coming soon. Warning #6 – site seemed phishy in general with no additional information.
So, looking through all of the aspects of this, I realized it was a Google Docs Phishing Scam. Immediately, I sent a note to the person who supposedly sent this email, asking if he had meant to send it. It is quite possible that his email (which happened to be a Gmail address) had been compromised by a similar Google Docs Phishing Scam (read this Gizmodo article) or other type of scam so he might not actually receive the email. And, if his account was indeed compromised, the scammer could just as easily send a reply saying that it was actually him that sent it. I plan on contacting him via another method. But the problem is that once a scammer gets access to your email account, they can take over other accounts like social media or worse.
Anyway, please share this with your friends and coworkers. Be warned, the phishing scams are scary and dangerous!
HTD says: In the age of digital communication, phishing scams can wreak havoc with your online and offline life. Watch out for this Google Docs Phishing Scam!
My wife fell for this. We changed her password and the password was used for nothing else besides her gmail. Any other safeguards we should take or are we ok?
I would just say to continue to monitor the account. Good luck!