Phishing scammers tap Google Docs for data gathering

Phishing scammers tap Google Docs for data gathering

Summary: Phishers are using Google-hosted spreadsheets in identity-stealing social engineering attacks, according to security firm F-Secure

TOPICS: Security

Phishing scammers are using Google Docs to create forms that try to trick people into divulging personal information, according to security company F-Secure.

Phishing form with certificate

Phishing scammers are using Google Docs to create forms that try to trick people into divulging personal information. Screenshot: F-Secure

The Google-hosted service, which allows people to create and share documents, is regularly used by fraudsters as part of a phishing scheme, F-Secure said in a blog post on Monday. Using the spreadsheet tool, phishers are building spoofed forms with fields for details such as name, email address and password, the security company said.

The fraudsters are taking advantage of the Google service, rather than exploiting a flaw. This means the spreadsheets look no different to any other created via Google Docs.

"These are nasty attacks, as the phishing pages are hosted on the real, complete with a valid SSL certificate," said F-Secure chief research officer Mikko Hypponen in the blog post.

F-Secure investigated the Google-hosted phishing forms it found in circulation by looking at their links and then seeing if these links appeared in its inventory of phishing emails, Hypponen told ZDNet UK. In addition, they looked at the forms to see where the information entered in them was sent to.

Although anyone can create a form, Google is trusted as a brand, making social-engineering attacks based on Google Docs forms more likely to succeed, said Hypponen.

ZDNet UK app

ZDNet UK app for iPhone and Android devices

It's small, it's simple, it's multi-platform. The ZDNet UK app is now available for download from the App Store and Android Market.

Read blog +

The potential for user confusion is compounded by Google using forms on to officially request user information. Users can request a Google Voice account transfer, and have to input their Google Voice number, email address and PIN code to validate the transfer.

"I'm not blaming Google over the phishing sites, but if phishing is a problem, why on earth is Google hosting its own forms asking for confidential customer information?" asked Hypponen.

The researcher created a form that looked similar to the Google form, to prove that Google's official form could be spoofed.

Google had not responded to a request for comment at the time of writing.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • It's worth noting that Google have now replaced their official form so that it is now hosted at rather than on their document forms