Over the past several months, we've noticed a growing number of "all-in-one" webmail phishing sites using Google Docs or Google Drive as bait. More than 1,700 are active as of this posting, many of which have been up for months.
An example of the phishing scam site is below:
We’ve observed several variations of this attack, all of which are designed to trick the victim into submitting webmail credentials by promising to provide access to a shared document on Google Docs or Google Drive.
We recorded the sequence a victim would go through:
As you can see, not a lot goes on other than simply accepting the username and password. No validation is performed. Regardless of what values are entered, the scam presents several “loading” or “processing” messages followed by an error message requesting the user try again later. Then the victim is bounced to a legitimate Google accounts login page.
It's also worth noting that Symantec recently blogged about a variant of these attacks in which fraudsters are hosting the phish in Google Drive as a way to make the scam appear more authentic.
The goal of these attacks is simply to harvest email credentials. For most cybercriminals, hacked email accounts are merely a means to an end. How the credentials harvested in these attacks are being used is unclear at this point.
That being said, there are plenty of ways to use hacked email accounts for cybercrime. Attackers can search for banking correspondence and then use hacked accounts to trick banking contacts into wiring “emergency” funds. They can mine the hacked accounts to find other online credentials (gaming, social media, iTunes, etc.) that can be sold. Or they can just add hacked email accounts to spamming operations in support of phishing attacks, malware distribution, 419 scams, etc.