Once the link is clicked, a user is directed to the Google login page, asking for a username and password.
Except, the page is not as it seems. The page IS hosted (or was hosted) in Google’s infrastructure of servers, and utilized SSL, making it appear that the user was logging into an actual Google associated web page. However, the credentials were handed over to a different server, coded in PHP.
After the account credentials are compromised, the user is then forwarded to a fake adware site as the screenshot below shows (kudos to Collin Anderson for the screenshot – by the time I tried to analyze the item, the server was having issues):
Steps to protect yourself and your email
There are a few basic things that you can do to protect yourself online in these times, especially when someone spams the world with a really legitimate looking Google login page.
Remove the newly added application from your connected apps and sites in Google
As per the recommendations in the article from Verge, you will now need to remove a newly added item from your connected apps and sites in Google, which can be located at this link. The item will appear as “Google Docs”.
You also need to change your password. It is very heavily advised. You may also want to look into Google 2FA (two-factor authentication) in some form.
Look at the sender
In this case, if it was observed that the sender was 17 h’s at a mailinator.com address. Not the most hidden spam I have received, however, but a good indicator that the attached link is most likely malicious.
A lot of users receiving this in their email may not have an antispam solution enabled. My emails were quarantined and marked as junk, however, I checked around and some users had them in their inbox. If you have a good antispam engine running, you will often not receive items like this in your inbox.
Do you know the sender?
In this instance, for me personally, no. I had no idea whom sent it nor the names that stated they sent it. As such, most likely, this would be in the trash bin already to an observant user.
Do not get in the habit of opening unknown items from unknown parties. If you would not open your front door to them, do not open email from them.
Note, even this is not enough, as spammers and attackers are good at spoofing, however, it is another hurdle a malicious actor must bypass if you adhere to it.
Have a good antivirus
Many times, when taking a look at an environment, you will find the select group of users that believe they are above antivirus software. Do not be one of those people. Having antivirus in this situation may help you from making unwise decisions when opening files or following links.
Stay vigilant out there. Times, they are a changin’.
by Michael Aguilar, ESET We Live Security