The security researchers at F-Secure have discovered several phishing sites hosted on Google Docs, Google’s online office suite. This is not an uncommon occurrence, it seems. According to a new blog post on the security firm’s site, the team says “we regularly see phishing sites via Google Docs spreadsheets and hosted on spreadsheets.google.com.”
The dangerous thing about these attacks is that they’re hosted on a google.com domain, which gives these nefarious pages an air of legitimacy. One form even had the researchers themselves stumped as to whether it was phishing or not!
Because the phishing sites are on the google.com domain, they have a valid SSL (secure sockets layer) certificate. In other words, your Web browser won’t be able to warn you that you’re about to proceed to an untrustworthy, unsafe site, as many browsers do today, including Google Chrome. Instead, a click on the green icon in the address bar will confirm that “the identity of this website has been verified by Google Internet Authority.”
While researching the many examples of Docs-hosted phishing sites, the F-Secure researchers came across this form (see below), which asks for your Google Voice number, email address and the secret PIN code on your account. It appears to be a phishing site, but oddly, at least one Google employee was found to have linked to the form on online Help forums.
This stumped the researchers, who then turned to Twitter to ask their followers what they thought. Tweets Mikko H. Hypponen, F-Secure’s CRO:
“The consensus on Twitter seems to be that the weird page on google.com is a phishing site. The jury’s still out though.”
Writes one commenter on the original blog post: “I must say kudos to Google for anonymizing so well the form, there’s no way to tell who made it.” Uh-oh, Google.
As of now, it’s still unknown whether this form is a phishing attack or a real form used by Google in the past. If you want to try to figure it out on your own, the F-Secure blog post provides a link to the form. We won’t link to it ourselves, as a precaution.
Update: The following was just added to the F-Secure website:
Updated to add: We got contacted by a Google employee.
They informed us that, surprisingly, the questionable page is indeed the official Google form to request Google Voice account transfer. They also told us to remove all references to the form in this blog post. But I’m afraid we can’t do that.
Image credits: F-Secure