Wednesday, June 20, 2007

Spamming with Google Docs

I frequently use Google Docs and Spreadsheets to manage and share various documents. I was surprised to log in today and see a document I didn't recognize in my list. When I logged into my email, it turned out that it was a legitimate document shared amongst a group of acquaintances, but it got me thinking. Couldn't a spammer have just as easily have done the same thing, and bypassed my spam filters besides?

I downloaded a "pump and dump" spam image and created a document that looked like this. Then, I added as "viewers" another of my Gmail addresses, a non-Gmail address, and a friend's Gmail and non-Gmail addresses.

In every case, the notification email came right through as "I've shared a document with you called ..." with a link. The social engineering aspects here are:
  • the email comes from Google
  • the link goes to Google
  • the text of the email is familiar and non-threatening, especially to users of Google Docs
It is ultimately NOT difficult to convince a user to click on this link (I probably would), and it's not likely to be filtered as spam.

The additional benefit, of course, is that you can dump documents right into a Google Docs user's main document view without any filtering at all, just by "sharing" the document. Imagine logging in one day to find your list of documents shoved down to make room for a list of docs with titles like "Buy cheap Viagra online!!"

I'm not sure if Google is already watching for accounts that have a high level of document creation/sharing activity, but if not, they probably should be. Additionally, they may want to consider options to allow users to keep newly-shared/unconfirmed documents out of the default view, or to limit who to accept shared documents from at all.

No comments: