Most phishing and data grabbing attacks have a major problem: they cannot use the domain of the official service, but need to use another one.
Some use similar looking domains, or very long domain names that start right but are only sub-domains and end with an unrelated domain name.
The latest phishing scam that Symantec noticed recently takes the idea to a whole new level. Instead of hosting the fake website on a different domain, the attackers use Google's own Drive and Docs service to host the files.
The effect? When you check the url, you see that it is using https and that it is a google.com domain. So, everything is alright then, right?
The scam begins like many other scams. You get an email with a link. This link points to a google.com address, and when you follow it, you are asked to sign in.
The problem here is that this is not an official Google sign-in link, even though it is hosted on a Google domain and using a Google SSL certificate.
How the spammers do it? They have created a folder on Google Drive, made that folder public, uploaded a file to it, and use the preview feature of Google Drive to get a publicly accessible address that they use in their phishing attempts.
So, the sign-in form is fake, even though it looks real, is on google.com, and uses SSL.
If you sign-in here, your authentication credentials are transferred to a PHP script on a compromised web server. You are redirected to a Google document afterwards, which means that you may not even realize what just happened -- that you gave away your Google account to a third-party.
There are a couple of indicators that may warn you that something is not alright. First of all, the link you are taken to is not a Google Sign-in link which -- as far as I know -- always begins with accounts.google.com no matter which service you are accessing from the company.
If you do not see accounts.google.com, chance is that you are not on an official sign-in page.
Second, and this is more a behavioral suggestion: never click on links directly in emails, especially not if you do not know the sender of that email. Instead, visit the website of the service directly by loading the page manually in your web browser of choice, signing-in there, and checking out whatever someone added to the email.
And even if you click on the email link, warning flags should go up when you are asked to sign-in if you are already signed in to your account.
Google seems to have fixed the issue according to Gizmodo information. Fixed in this case means that Google has removed the fake pages but has not yet released a fix that protects future abuse. The team appears to be working on that though.
Google suggests that you reset your password if you think that you may have given out your account information accidentally.
Phishing attacks get more sophisticated all the time, but this is a whole new level. If you can host your fake login pages on domains owned by the company that you want to steal user credentials from, then it is taking phishing to a whole new level.
If you like our content, and would like to help, please consider making a contribution: