Recently I received an email claiming one of my friend have shared an important Google doc with me and asked to click the attached link to access it. I have turned off the html view in my email client, and thus I was easily able to see the link, unsurprisingly it was neither of Google Drive nor of any other Google products.
The link simply redirects user to an imposter Google account login page. If the user gets trapped, he might end up giving away their Google login details to the attacker. Further analysis is below.
The attached link in the email is: hxxp://zhangjiancheng.com/include/read.php, which resolves to IP 18.104.22.168, hosted by Secured Private Network, Santa Ana, CA. On clicking the above link, response contains a HTML page with <META http-equiv=”refresh” content=”0;URL=data:text/html;base64, tag and the content of the page Base64 encoded. On decoding the content and doing a diff with original Google account login page, it shows that the only major change is the URL where the form data is to be submitted, in this case it is hxxp://zhangjiancheng.com/include/other.php. To test further, I entered fake details in the username and password field and submitted. I was served with a Google Drive page stating the file requested does not exist.
Such spam emails highlight the fact that most users do not check the address bar of the browser. In the snapshot below it can be clearly observed that the address in the address bar is not of Google Accounts and should raise an element of doubt. Checking the URL in the address bar can save you from such phishing attacks.