If your organization uses Google (News - Alert) Docs, then you may have a false sense of security.
Many organizations have reported attempts to steal personal information and passwords by phishers who use Google Docs. Creating a Google account and then hosting a form through Google Docs is “child’s play,” according to Graham Cluley, senior technology consultant at Sophos.
For example, phishers send out e-mails telling recipients that their mailboxes will be locked if they don’t confirm their information. When users click the link, they are directed to a Google Docs form that asks for information including their e-mail addresses and passwords.
Once they’ve obtained the information, phishers can then use e-mail account information to try to unlock other information about the user. For example, if the user has a Gmail account and uses the Gmail username and password to login to online banking, then the phisher now has access to the user’s bank account and credit card information.
Although Google Docs forms feature a “Report Abuse” link, Oxford University says that Google does not respond to abuse claims quickly. If Google takes 24 to 48 hours to remove the phishing form, then phishers have time to gather a lot of information.
To take a stand, Oxford shut down Google Docs on campus for 2.5 hours on Monday, February 18. Officials hoped that the outage would get the attention of faculty, students and campus visitors and alert them to the danger of Google Docs phishing forms.
OxCERT, Oxford’s network security team, blasted the search engine giant in a blog post. “If OxCERT are alerted to criminal abuse of a University website, we would certainly aim to have it taken down within two working hours, if not substantially quicker,” wrote Robin Stevens.
“We have to ask why Google, with the far greater resources available to them, cannot respond better.”
Google Docs easily bypasses most security products. Vicente Diaz of Securelist warns that Google Docs can also transport malware and executables as attached files.
Bottom line: Never enter sensitive information through a link in an e-mail. As always, the lousy grammar, punctuation and spelling contained in many phishing e-mails should be a dead giveaway not to click.
Edited by Brooke Neuman