Online file sharing locations being used for phishing expeditions

When we have discussed phishing in previous articles, we mention they often come from financial or corporate organisations such as PayPal, Apple or Telstra. However, we have recently become aware of a number of new types of phishing scams, targeting those who use online file sharing, such as Google, OneDrive and Dropbox.

Phishing scams are emails which appear to be coming from a reputable source, but are in fact not from the originating organisation but someone else who is seeking your personal information for malicious purposes. They not new, but are become increasingly sophisticated due to the advent of online file hosting that can easily enable files to be stored and not scanned by usual methods.

The Google Drive or Google Docs phishing scam comes through via an email, appearing to be from a particular sender you may have received an email from in the past. The subject line is often titled “Financial Documents” or similar. It looks nearly identical with a document being sent from Google Drive, with subtle differences, it also contains a link to open the file, as well as some other information from Google, as can be seen in the screenshot below:

Google Drive Phishing email - example of phishing email
Example of Google Drive phishing email (thumbnail – click image to open larger version)
Google Drive Phishing email - example of legitimate email
Example of Google Drive legitimate email (thumbnail – click image to open larger version)

We became aware of several organisations who have been infected by this Google Drive or Google Docs phishing scam. For the purposes of this article, we contacted a number of these organisations to discuss this with those to understand it in more detail. We appreciate the time and honesty of these organisations to find out more (especially once their initial embarrassment passed!). It helped us to understand the issues and what to look for and educate our clients and Blog readers.

The process seems to be:

  1. A user clicks on the link in the email which takes you to Google Drive to log in and download the malicious file. From each of the circumstances that we identified, it appears they were taken advantage of after first downloading and then running a file which accessed their email address book and sends the email to them requesting they download the same file.
  2. Once the malicious file opens, it then accesses address book and sends a similar to email to your contacts, are suggesting they download a file. Further, due to a nature of this file, you may actually unaware of the issue until the emails were returned as undeliverable or from recipients asking why they received a file.

We have also heard of reports of another scam that contains a similar Google Account login page, whereby you ask are asking however it is actually instead takes you to another website and steals your account information.

Further research has identified the same similar Dropbox and OneDrive as well. We recommend that you follow the following tips to protect yourself:

  1. Make sure you always sign-in directly to the service (using Google.com, Dropbox.com or OneDrive.com, don’t use the links contained within the email unless you are sure they are the correct ones.
  2. If you aren’t expecting to receive an attachment, only download or accept files after confirming from the sender that they intended to send you such a file. Instead of replying to the email that is sent, call or text the sender to confirm that they were wanting to send you such a file.
  3. If you do receive an email that is suspicious or not expected, immediately delete the emails from your computer, carefully ensuring you don’t click on any links, you don’t want to share these!

Through our Support solution, CyberGuru can review your computers to ensure there is appropriate security in place, as well as our Training to help you and your staff become aware on how to identify phishing to protect you and your data. Please contact us today for further information.