Google Drive Hack: Phishing Campaign Targets Gmail Users With Fake SSL Encryption

Google Inc., the world's largest provider of free email, is under attack. Hackers likely based in the Middle East have launched a new Gmail phishing campaign that’s trying to trick users into surrendering control Google accounts, researchers said Monday.

The hackers do it by defeating Google's own anti-spam software and sending what appears to be a legitimate Gmail message that redirects users to a fake Google Drive page that tricks them into giving up their username and password.

Cyber criminals have impersonated Google in the past, but researchers at cloud security firm Elastica, which discovered the hack, said this stands apart for its simulation of Google apps. “It was a very well-crafted attack,” said Aditya Sood, a senior security researcher at cloud security firm Elastica. “The hackers actually reconstructed the full attack channel, which was very impressive in this case.”

Exactly who is behind the attack and how many Google customers have been affected wasn’t immediately clear, though it appears that attackers have figured out how to fake Google’s trusted SSL encryption.

The attack appears to have been designed for maximum impact against Gmail’s 900 million users. Compare that to the 273 million Yahoo Mail users (as of 2014) and the 500 million to 600 million Microsoft Outlook mail users.

SSL, or Secure Sockets Layer, encryption has been widely used for a decade by email providers, banks and any other website that needs to protect sensitive user information. When you log into Gmail or Google Drive, for instance, Google automatically encodes your username and password so only you and Google can see it. In this case hackers created a fake Google Drive document that, by looking just like a real page, took advantage of user trust and asked visitors to input their Google name and password.

The page, which was still online at press time, even impersonated the browser lock and https domain URL that are a standard aspect of SSL encrypted-pages.

Update: "We're constantly working to protect people from phishing scams through a combination of automated systems, in-product warnings, and user education," a Google spokesperson said in a statement. "We're aware of this particular issue and taking the appropriate steps."

Elastica’s team first discovered the page two weeks ago when one researcher was sent the link as part of the apparent phishing campaign. They closely examined the page’s source code and noticed that the Java Script had been obfuscated – when programmers design code to be as possible to decipher – twice.

“When we de-obfuscated that Java Script we found HTML code in there, which was suspicious from a security perspective because Google is usually HTTPS,” said Sood. “When we submitted dummy information into the HTML page and were eventually redirected to a page that wasn’t the Google server...When you submitted a form you’d be redirected to a PDF document, which was very strange.”

Elastica ultimately traced the website to a domain registered in the United Arab Emirates, Sood added.

The PDF document, which downloaded automatically, apparently contained a 2006 scientific paper from Christina K. Pikas, a doctoral student at the University of Maryland titled “The Impact of Information and Communication Technologies on Informal Scholarly Scientific Communication: A Literature Review.”