You get a new email that looks like it’s from a friend, a company, a government official, or even a family member. All that’s in that email is a link. You click it, because of course you do. You’re taken to a login page, where you enter your credentials. Then, that site turns out to be fake and collects your password. Congratulations, you’ve been phished.
Phishing is a time honoured way to get your login credentials or access to one of your accounts. The idea behind phishing is extremely simple: It’s about tricking you into handing over your information so no actual hack is necessary. Historically, this means sending you an email and hoping you click on it. That link leads to a site the phisher has set up that’s supposed to look like the real site’s login page. Once you log in, the site saves your username and password. This has been going on since the ’90s, when the warez community used phishing emails to snag people’s AOL passwords.
Back then, hackers could easily trick people into clicking on just about anything because that’s just how the internet used to work, but nowadays, we’re all more vigilant, right?
If yesterday’s Google Docs phishing scam is any indication, no. The premise in yesterday’s phishing attempt was the same as it’s ever been: You get an email that looks like it’s from a friend so you click on it. In this case, it was trying to look like someone wanted to share a Google Doc with you. You click the link, and that directs you to the real Google sign-in page. It’s the legit Google page, so you sign in. The phishing attempt comes next, when you grant permissions to what ends up being the phishing app. It’s a clever play on the usual process, even if it isn’t totally doing something new. Here it is in action:
— Zach Latta (@zachlatta) May 3, 2017
As sophisticated and fancy-sounding as this attempt was, there were some indications that it was bogus. For one, the
googledocs.g-docs.win URL is sketchy, but beyond that, you’ve most certainly already given Google permission to access your account, because it’s Google, so regranting that makes no sense. Thankfully, in this particular case, you can at least revoke access to that phishing program.
We’ve seen similar versions of this same thing over the years, but phishing attempts are getting better and better at reproducing the login pages of popular sites. One recent attempt used a fake attachment to redirect you do a Google login page, and another way back in 2014 did almost the exact same thing as this week’s hack, replicating a Google Docs login page. That DNC hack last year? Phishing. Over the years, popular phishing targets have also included PayPal accounts, eBay, and just about every major US bank.
What makes these modern attempts more sophisticated? Namely that they’re getting better at hiding what they’re doing so the usual scanning techniques don’t work as well. Phishing attempts are getting better at replicating site login pages like Google or even your bank, they often use tricks to mask the true URL of a link, and they’re getting better at making messages seem like they’re from a real person. In the Google Docs case, it was all about playing into expectations of what a phishing attempt looked like, then using that alongside Google’s OAuth login system to catch you off guard.
So, what’s an otherwise tech savvy person to do? Continue to not click on any weird links in your email, regardless of who you think sent it. Chances are your friends don’t just send you an email with a link in it, and if they do, you should probably ask them to change that weird behaviour.
Otherwise, if a link in an email does look weird but you just can’t stop yourself from clicking on it, don’t click the link, but head to the site in question by manually typing the URL and then log in that way. If you must, you can usually right-click a URL or mouseover it to see the true destination, but even that scanning method might not save you these days.
More importantly, if you want to use your phishing vigilance for good and want to help people moving forward, the venerable SwiftOnSecurity has put together a collection of phishing reporting tools so you can report sketchy links so other people don’t fall prey to those attempts.
Just remember, don’t click shady links in your email from a company. Don’t click weird links in emails from your friends and family. Don’t click links in emails from your bank, Google or anyone else where you could otherwise just log into a site to get the information that’s supposedly in that email.