Google spreadsheet phishing

Sometime last week I got an email that seemed like an obvious phishing attack. I wasn’t in the mood to track it down, so I just classified it as spam and moved on. Today I got the same message (may have been from a different sender) and decided to look into it a little further.

The message came to my business address, which is run by Google Apps for Business. It was sent from an address with a duncanvilleisd.org domain. I don’t know if the address is real, but the domain is—it’s a school district in Texas. The body of the message was short, sweet, and obviously inapplicable to me, especially when coming from someone at a domain I have no email account with:

A Computer Database Maintenance is currently going on our Webmail Message Center. Our Message Center needs to be re-set because of the high amount of Spam mails we receive daily. A Quarantine Maintenance will help us prevent this everyday dilemma.
To re-validate your mailbox Please:Click on the below link:
https://docs.google.com/spreadsheet/viewform?formkey=blahblahblah
Failure to re-validate your mailbox will render your e-mail in-active from our database.
Thanks
System Administrator.

Scary, eh kids? I changed the formkey in the URL to protect the innocent.

It was a multipart message, and I saw the HTML version of it. I checked to see if the link really did go to a Google spreadsheet, and it did so I figured there was no harm in following it. Here’s what I came to:

Google spreadsheet phishing page

How real does this look? The Matrix-y image is fun, and I’m not sure whether the misspelling of Microsoft makes it seem more or less likely to have come from an actual system administrator. The use of a backslash instead a slash in the third field is a nice touch (although I can’t imagine that the kind of user likely to fall for this would know what to put in this field). The worthless annoyance of having Confirm Password field makes it seem entirely legitimate, but not having a red asterisk on the Password field was an unfortunate oversight.

This is all kind of run-of-the-mill for a phishing attack. What I find surprising is that Google didn’t categorize it as spam right off the bat. GMail didn’t even put up the warning banner that the message looked like a phishing attack.1 I wonder if the fact that it linked to a Google spreadsheet gave it some extra legitimacy to the GMail spam algorithm, and that’s how it slipped through.

The little links along the bottom are all legitimate links to Google pages and are apparently something the phisherman couldn’t get rid of. I reported the page for abuse.


  1. Does GMail still do that? I haven’t seen one in quite a while.