Google Docs being used as a Phishing Site
For the past couple of weeks, I’ve been getting bitFlyer(Cryptocurrency Exchanges in Japan) Phishing emails in my mailbox almost every day.
As a Cybersecurity Researcher, this kind of fraudulent email is not uncommon. But these Phishing email leads to a strange redirector. I think this is a potential threat and have written this article to warn it.
Phishing emails
The phishing email I received was a common type. That makes you panic and click on a link telling you that you have a fraudulent login and should check it out immediately.
About a fortnight ago, the link became to Google Docs.
A link to Google Docs
Here is a Phishing site made by Google Docs.
As you can see, this is not a phishing site but a redirection site. However, the page is so elaborate and has such a similar design to the email that many people will click on it without question.
How Google Docs sharing works
Here’s a refresher on how Google Docs sharing works: There are several ways to share Google Docs, depending on how you want to present it.
- put your document file on Google Drive and share it as a Google Drive feature
https://docs.google.com/document/d/1Zj7KqQS-M6ev-FmEzt--FQtroxTE6TMuzKfQ_99YGoo/edit?usp=sharing - choose [File] → [Publish to the Web] and share as a link on a web page.
https://docs.google.com/document/d/e/2PACX-1vSzoYa-nM4eRTXmiXRUXGC5vweNWpyGUhC54rhAYAflb_KjCt6DwZVSkLrtNNVHdWLjJZ5GgJXta9eY/pub - almost the same as 2. but select “Embed” from the [File] → [Publish to the Web] selection.
https://docs.google.com/document/d/e/2PACX-1vS88fbmBk2vtdcEXggNb0HFGwYomJf1l8yRhNHcqe6g3bFeBzxKWyyPzPlUV5Jx7if-tpfQsekGDTnp/pub?embedded=true
It’s easy to tell the difference: 1. the link ends with /edit?usp=sharing; 2. the link ends with /pub; 3. the link ends with /pub?embedded=true.
It is also worth noting the difference in appearance between these three methods.
Method 1. is designed for multi-person collaboration and is almost the same as Google Docs.
On the other hand, methods 2. and 3., as the name “Publish to the Web” implies, look more like standard web pages than document files. But there is one big difference.
In the case of 2., the page will be forced to have a footer with a link “Published by Google Drive — Report Abuse”.
In the case of 3., however, there is no footer because the page is intended to be embedded. So it looks like a standard web page.
Without prior knowledge, you wouldn’t think this is a Google Docs, would you?
We can’t do Takedown!
If actors publish a Phishing site in the method described in 3. above, you can’t get a link to report the fraud. So Cybersecurity researchers such as ourselves will not be able to report it to Google.
In this case, once you remove the “?embedded=true” from the link and change it to method 2., the abuse link appears. You can report it. However, you will need to be logged in to your Google account to report this. You shouldn’t visit a Phishing site while logged in, so it is best to log out, click “Report Abuse”, and then log in.
I have been reporting these Google Docs sites for about two weeks. Unfortunately, Google does not considered these Google Docs as Phishing sites and are still alive and well. Furthermore, Google Safe Browsing reports them as Green and not be regarded as malicious sites. Google Docs which has a link to the malicious site without a login screen is not considered a malicious site by Google.
This is very convenient for the attacker. It’s easy and free to set up a strong redirector on the Internet that can never be taken down. And the domain is google.com, one of the most trusted in the world.
Another problem: links in the Google Docs
If you publish Google Docs with “Publish to the web” menu, all links on the page will be forced to be replaced. They are converted to a redirect from google.com as follows:
https://www.google.com/url?q=<URL>&sa=D&source=editors&ust=<number>&usg=<token?>
I don’t know what Google’s intentions are in doing this, but it’s certainly not right from a security and privacy perspective.
And when you think of Phishing scams, the biggest problem is that all the links are to the www.google.com domain.
This is a great advantage for phishers and a threat to the public. Many people think that google.com is a trustworthy domain. However, if this method becomes widely used, google.com will become a very dangerous domain.
Conclusions and measures
- We are currently experiencing a phishing site that uses the Google Docs sharing feature
- All of these links are to the google.com domain, which is likely to slip through many filters.
- Phishing email directs you to a google.com domain is not a factor in determining whether it is safe.
- Google should apply Google Safe Browsing to docs.google.com.
- Google should not force us to convert links when we “Published to the web” on the Google Docs.
- Google should offer the appropriate fraud reporting mechanism for embedded Google Docs.
IoC
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vS4LwmAPjULiRfva9GDgYmxsZKCfwg-ANOGegl9OS5d43IHoL7gDNJmoY51_wU8oG8ar7cT03xGtjBr/pub?embedded=true
hxxps://docs[.]google[.]com/document/u/6/d/e/2PACX-1vS1DVkfrujAJSa7Oo5LRr8jtgkPtT5BKcHXfEsyeMxH3tajBDGtB25uIKMsQpb0kAHMA4JPgKbVhuw7/pub?embedded=true
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vTiFrwznBwuBY5R7cvDIDLRqjmwBYLBNXrRVZb_sqA4bIR4Kwp5DXSjcE82vcMnv6G9uOiZAFDFcfYF/pub?embedded=true
hxxps://docs[.]google[.]com/document/d/e/2PACX-1vTj_-LDjFUxvxSbW2yIvTtMKlHHWB0XalRXb_SxzUB7mvM23nXXvOr35_pPdLtnvLm7Bo8pC5oao0JN/pub
