Google Docs Users Targeted by Phishing Scam

What&#x27;s to stop the attacker from going the next step and forwarding the user&#x2F;pass to Google, triggering the SMS for 2FA, and then prompting me to enter it?<p>Now all you can hope is that Google notices the source IP or user-agent of the attacker doesn&#x27;t match up with the user&#x27;s usual pattern.

Surprised no one&#x27;s used this opportunity to talk about Google&#x27;s gnubby &#x2F; FIDO &#x2F; U2F plans.<p>Non-phishable two-factor auth token: <a href="http://fidoalliance.org/" rel="nofollow">http:&#x2F;&#x2F;fidoalliance.org&#x2F;</a><p>See presentation: <a href="https://docs.google.com/a/google.com/presentation/d/16mB3Nptab1i4-IlFbn6vfkWYk-ozN6j3-fr7JL8XVyA/edit#slide=id.g19c09a112_2_0" rel="nofollow">https:&#x2F;&#x2F;docs.google.com&#x2F;a&#x2F;google.com&#x2F;presentation&#x2F;d&#x2F;16mB3Npt...</a>

This is why EVERYONE should have Two-Step Verification (<a href="https://support.google.com/accounts/answer/180744?hl=en" rel="nofollow">https:&#x2F;&#x2F;support.google.com&#x2F;accounts&#x2F;answer&#x2F;180744?hl=en</a>) enabled if you care a little bit about your Google Account and the data you have stored there. This kind of attack will expose your password, but the attackers wont get in your account anyway.

It&#x27;s interesting how this is done - and there&#x27;s no real workaround except to force 2FA.

I think it is important that Symantec should mention how the URL looks like. From reading this news I can only assume that this happens with hosted websites from Google Drive which have an URL like <a href="https://googledrive.com/host/someidhere" rel="nofollow">https:&#x2F;&#x2F;googledrive.com&#x2F;host&#x2F;someidhere</a> This warning could be better.

Since we are talking about phishing in Google&#x27;s domains, can someone explain me why <a href="http://www.blogspot.co.uk" rel="nofollow">http:&#x2F;&#x2F;www.blogspot.co.uk</a> (and .ie, and .fr, etc.) leads to someone&#x27;s specific blog, instead of doing like the <a href="http://www.blogspot.com" rel="nofollow">http:&#x2F;&#x2F;www.blogspot.com</a> site does, which leads to Google&#x27;s login?<p>What prevents this &quot;www&quot; Blogger user from mounting a phishing attack?

<i>After pressing &quot;Sign in&quot;, the user’s credentials are sent to a PHP script on a compromised web server.</i><p>I might be missing something, but how does this part work?<p>Is it because the document in the Google Drive folder is actually a html document that the browser is loading (and executing javascript of)?

And that&#x27;s why you shouldn&#x27;t serve user content on the same domain as your own stuff.

&gt; Symantec customers are protected against this threat.<p>How?

I&#x27;ve seen an account hacked already.