Phishers have found a new use for Google Docs -- stealing your identity
The free cloud applications, particularly Google spreadsheets, are gaining popularity as a phishing platform. I knew the Google Docs spreadsheet was good for something.
One of the main jobs of a phishing site in selling itself is to come from a trustworthy domain, and that's why Google Apps is so popular. Nobody is going to block *.google.com or even spreadsheets.google.com. So not only will some people be more inclined to believe that a phishing page is genuine, but it's less likely to be blocked by reputation systems. You even get to use HTTPS on your attack page, courtesy of Google.
Alex Eckelberry of (the Sunbelt Software guys who got bought by) GFI Software says they're seeing a lot of Google Docs phishing sites. Eckelberry gives one example, and there are others on his blog. He calls Google Spreadsheets a "playpen for phishers. We have found a very large number of phishing sites using Spreadsheets, especially for stealing credentials".
As Eckelberry says, the intended uses of Google Docs make it particularly vulnerable to this. It's perfect, for example, for teachers to gather information from students. So highly-targeted attacks, spear-phishing if you will, have a lot of potential. This is exacerbated by the opacity of the URLs which, in many cases, don't indicate anything about the identity of the author.
These attacks are apparently popular in Indonesia and used to steal credential for various games. Eckelberry cites Gemscool (an Indonesian gaming site) as a particular target, such as for the Point Blank (PB) and Lost Saga games. It's easy to find these attacks; try this Google search ("cheat lost saga jakarta site:google.com"). You should see a few, some of which have been found by Google and turned off.
It's just a month ago that I first saw a report of this technique. My conclusion then, as now, is that until Google cleans up its act Docs isn't a good place for such forms.
Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb's Journal, and is a Contributing Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension's Intelligent Whitelisting site.