Scammers just found a new phishing lure to play with: Google Drive. A flaw in the Drive is being exploited to send out seemingly legitimate emails and push notifications from Google that, if opened, could land people on malicious websites. The scam itself is nothing new—messages asking you to click on dodgy links are as old as the internet itself—but could catch a lot of people off guard.
The smartest part of the scam is that the emails and notifications it generates come directly from Google. On mobile, the scam uses the collaboration feature in Google Drive to generate a push notification inviting people to collaborate on a document. If tapped, the notification takes you directly to a document that contains a very large, tempting link. An email notification created by the scam, which also comes from Google, also contains a potentially malicious link. Unlike regular spam, which Gmail does a pretty good job of filtering out, this message not only makes it into your inbox, it gets an added layer of legitimacy by coming from Google itself.
The success of email spam filters has left scammers looking for new ways to get people to click on malicious links. And Google Drive is pretty accommodating. By default, Drive wants you to know when someone has mentioned you on a document. In a work setting, this could be a colleague asking you to check over a slide in a presentation or a brief for a new project. For scammers, it’s a clever way of putting a malicious link right in front of a potential victim.
The scammers are working their way through a huge list of Gmail accounts, with scores of people reporting similar versions of the attack in recent weeks. One of the scam notifications received by WIRED linked to a Google Slides document that had been created by a Gmail account with a Russian name. The document’s edit history showed it had been copied from another document and was constantly being edited, suggesting that scammers were duplicating the scam and adding more people to try and lure in new victims. WIRED contacted the Gmail address linked to the scam document but received no reply. The scam document has since been deleted for violating Google’s terms of service.
People targeted by the scam receive Google Drive notifications and emails in Russian or broken English asking them to collaborate on documents with nonsense names. These documents always contain a link to a scam website. One of the websites used for the scam, which was only registered on October 26, bombards people with notifications and requests to click on links to deals and prize draws. Other versions of the scam try to lure people to click on links to check their bank account or to receive a payment.
It might not be elegant but the scam is effective in getting malicious links into people’s inboxes and mobile devices. “Link delivery is always a challenge,” says Jake—@JCyberSec_ on Twitter—an independent cybersecurity researcher who has been tracking phishing campaigns for five years and who was also targeted by the Drive scam. “Emails are closely monitored and scanned by systems meaning a huge number of spam emails are detected before delivery,” he says – but Google Drive offers no such protection. “Threat actors are always attempting to find new delivery methods,” Jake says. And on mobile the phishing method could be particularly effective. “Mobile targeted phishing is on the rise as there are less security controls,” he adds.
A Google spokesperson says the company has measures in place to detect new spam attacks and stop them, but that no security measures are 100 percent effective. The spokesperson adds that Google is working on new measures to make it harder for Google Drive spam to evade its systems. Anyone targeted by the scam can report it to Google via the company’s support page.
“It’s difficult for Google to do anything if the notification is coming from a legitimate account, which is, of course, easy to create,” says David Emm, principal security researcher at cybersecurity firm Kaspersky. He adds that, as with all phishing scams, the important is to think before you click. “Avoid clicking on unsolicited links of any kind when sent from unknown sources. If you weren’t expecting to receive it and don’t know the sender, don’t respond.”
The novel approach to tricking people into clicking on malicious links is similar to a scam that planted phishing links into Google Calendar. In that instance, phishers realized they could take advantage of a default setting in Google Calendar that let them plant their own events laced with dodgy links. As with the Google Drive scam, emails and notifications generated by the Calendar scam also came from Google.
Posts on Google community forums and social media suggest that the Drive scam has gone into overdrive in recent weeks, with some people complaining of receiving multiple notifications to collaborate on dodgy documents. Many of the documents reported to Google appear to have been deleted for violating its terms of service.
This story originally appeared on WIRED UK.