Phishing scammers tap Google Docs for data gathering

Phishers are using Google-hosted spreadsheets in identity-stealing social engineering attacks, according to security firm F-Secure

Phishing scammers are using Google Docs to create forms that try to trick people into divulging personal information, according to security company F-Secure.

Phishing form with certificate

Phishing scammers are using Google Docs to create forms that try to trick people into divulging personal information. Screenshot: F-Secure

The Google-hosted service, which allows people to create and share documents, is regularly used by fraudsters as part of a phishing scheme, F-Secure said in a blog post on Monday. Using the spreadsheet tool, phishers are building spoofed forms with fields for details such as name, email address and password, the security company said.

The fraudsters are taking advantage of the Google service, rather than exploiting a flaw. This means the spreadsheets look no different to any other created via Google Docs.

"These are nasty attacks, as the phishing pages are hosted on the real, complete with a valid SSL certificate," said F-Secure chief research officer Mikko Hypponen in the blog post.

F-Secure investigated the Google-hosted phishing forms it found in circulation by looking at their links and then seeing if these links appeared in its inventory of phishing emails, Hypponen told ZDNet UK. In addition, they looked at the forms to see where the information entered in them was sent to.

Although anyone can create a form, Google is trusted as a brand, making social-engineering attacks based on Google Docs forms more likely to succeed, said Hypponen.

The potential for user confusion is compounded by Google using forms on to officially request user information. Users can request a Google Voice account transfer, and have to input their Google Voice number, email address and PIN code to validate the transfer.

"I'm not blaming Google over the phishing sites, but if phishing is a problem, why on earth is Google hosting its own forms asking for confidential customer information?" asked Hypponen.

The researcher created a form that looked similar to the Google form, to prove that Google's official form could be spoofed.

Google had not responded to a request for comment at the time of writing.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.