ALERT: The Google Drive Phishing Scam Returns!

Watch out: A highly convincing Google Drive phishing scam is back.

Reports indicate that it is being carried out by the same group of attackers as before, however this time around it comes with a little twist. In addition to stealing user credentials, the scam can now infect users with malware. Fortunately, however, whoever designed the phishing page made a little mistake that’s a dead giveaway to attentive users.

Drive Scam Play-by-Play Round 2

We first observed this type of attack back in March 2014. As then, the scam is carried out in the exact same way.

  • The scam is initiated by the standard email request to view a shared document on Drive, with a subject line: Documents.
  • Opening the email reveals a link to what is said to be a “very important document.”
  • Clicking on the link leads users to a fake Google log-in page, which is essentially identical to the real one.
  • The fake log-in page is even hosted on Google and contains SSL certification.

As before, users who enter their information and “Sign in” are redirected to an actual Google Doc containing irrelevant information.  At the same time, and in the background, the user’s Google log-in credentials are sent to the scammer’s web server.

How to Spot this Scam

This time around, the attackers made a mistake. In the bottom right hand corner of every legitimate Google Drive log-in page, there is a drop down menu for language selection.


drive language

The image above shows what this language menu is supposed to look like. On the Google Drive phishing webpage, all languages in the drop down menu have a ? in front of them; so, instead of English (United States) you would see ?English (United States). If you encounter this little bug, DO NOT PROCEED.

As before, it’s also wise to take the following precautions:

  • Delete any unsolicited invitations to share Google Documents.
  • Do not click on links you receive from people you don’t know.
  • Avoid logging in to Google through emailed links; instead, go to the real and proceed from there.
  • Stop and think: If you use Gmail and are already logged in to your Google Account, you shouldn’t need to log in again to access Drive.
  • Enable two factor authentication. That way, even if your credentials are compromised, the scammer will not be able to log-in to your account from their computer.

What Happens If You’re Phished

If you attempt to log-in to Google Drive through one of these phishing pages, you will be submitting your Google log-in credentials directly to a scammer. Armed with such information, the scammer could then log-in to your Google account and do anything they want.

This time around, the cybercriminals have also added a malware component to some of their landing pages. In this scenario, users who are phished are subsequently redirected to a drive-by download website that automatically initiates a malicious install.

Ensuring Drive Scam Protection

Though it is concerning that this scam is back and is actively being propagated through one of the most popular file sharing services on the web today, it is fortunate that its creators have slipped up and given users a red flag to look for and avoid. That being said, as knowledge of the ? bug spreads, it is likely that its authors will repair it.

It is for this reason that Emsisoft Anti-Malware has been built with a layer of automatic Surf Protection. We keep a running list of known fraudulent websites from all across the Internet – such as the ones involved in this latest iteration of the Google Drive phishing scam – and we feed it to Emsisoft Anti-Malware multiple times per day. As a result, if you’re running our software and you try to navigate to a malicious website, you will be prevented from doing so.

Finally, if you think you might have fallen for this recent scam or its predecessor, we recommend a password change, immediately.

Have a Great (Phish-Free) Day!