Saltar al contenido

Google Docs phishing example and some general recommendations

phishing de google docs ejemplo

A few days ago I came across a phishing case that was looking to steal passwords with a fake Google Docs page.

The deception was very evident by the URL, the false page was hung on a hacked WordPress, but the design was good and as we already know many people do not pay attention to the URLs where they put their data, so it is not strange that they fall.

Phishing Google Docs

In addition to requesting the Gmail password to access, it also allowed selecting other services or providers such as Hotmail to enter and through JavaScript they made sure that the victims wrote the email addresses correctly (they controlled the at sign and others).

Once these data were entered, they went to another page where they also asked for the secondary phone number or e-mail, simulating a security check:

Continuing, a redirect was made to the actual Google Docs page.

Currently this phishing has already been deactivated, the site owner was aware of the situation and managed to eliminate it. As usual, I found out that I was infected once browser security filters started blocking your site.

In WordPress, although there are plugins that help improve security, keeping everything updated -including themes and plugins- is usually enough to avoid these problems, it is also convenient to eliminate themes and plugins that are not used or are disabled. It is recommended to download them from official sources, a paid theme or plugin that is downloaded from another place to avoid paying can come with gifts or have unresolved vulnerabilities that will sooner or later generate problems.

On the server where the site is hosted, it is also good to avoid installing strange web programs or having other outdated sites, because due to a vulnerability in one, they could also enter the others to make modifications.

Report that the site is already clean:

If your site is infected with phishing, once you fix it you should request a review from this Google form (send the URLs with and without www if it is loaded in both ways): https://www.google.com/safebrowsing / report_error /

If everything is fine, the site should be unlocked from one day to the next, there are also online scanners that can help detect problems such as Sucuri.net/scanner/, Aw-snap.info/file-viewer/ and Virustotal.com You can also check it out at Phishtank.com which is an exclusive site to report phishing.

Phishing cases are not reported in the Search Console (ex Google Webmaster Tools), so you must request the revision from the form that I mentioned before.

If an infection message appears in the Search Console in the Security Issues section, then the request to review once the site is clean should be sent from there. In case the Search Console cannot be accessed or the message does not appear (in neither of the versions with or without www), you can go to Stopbadware.org which is a Google Partner, sending the request from there they will They will review and if everything is ok, they will report it directly to Google so that the site is unlocked.