Remove Google Docs Phishing Scam — How to Protect Yourself

Remove Google Docs Phishing Scam — How to Protect Yourself

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article has been created in order to explain to you what is the Google Docs Phishing Scam and how you can remove them as well as all potentially unwanted programs delivered through them.

The Google Docs Phishing Scam is a popular malware tactic that attempts to manipulate Google Docs users into infecting themselves with viruses or disclosing their passwords. At the moment we do not have information about the perpetrators behind it. Our article gives an in-depth explanation of how it propagates and how victims can attempt to remove active infections.

Threat Summary

NameGoogle Docs phishing scam
TypePhishing email scam
Short DescriptionThe Google Docs Phishing Scam is a recent example of the scam tactic that extorts the targets into interacting with a scam site.
SymptomsVictims will receive email messages that contain the phishing instructions.
Distribution MethodPrimarily through Google Docs messages.
Detection Tool See If Your System Has Been Affected by Google Docs phishing scam


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Google Docs phishing scam.

Google Docs Phishing Scam – Distribution Ways

Recent security reports indicate that a new wave of Google docs phishing scam messages have been observed by computer users worldwide. Over the last few years we have detected independent campaigns that all seek to send out scam links and virus content to the recipients.

As they are carried out by independent groups various tactics can be used. The primary one is the spread of a malicious link where the users are coerced into interact with the content. In this case the malicious users can use the same mechanism as those used by browser hijackers and viruses. The most popular methods are the following:

  • Email Messages — The victims will receive email message invitations or direct Google Docs links. The messages may be either personalized or sent as a generic alert. The hackers can customize the messages pretending to be from a company, service or vendor that is offering them additional information. They are coerced into opening up the shown link.
  • Web Sites — The malicious users may set up web sites and portals that pose as legitimate vendor landing pages, Internet portals and etc. Whenever they are opened links to the Google Docs will be shown to the users and they will be coerced into opening them.
  • Document Scripts — By opening up infected documents made by the hackers the uers can view the link to the Google Docs phishing scam message. They can be of any popular document type: presentations, rich text documents, spreadsheets and databases. Whenever they are opened by the users a prompt will asking the users to enable the built-in scripts. If enabled they will display pop-up windows and large text links that will lead to the Google Docs phishing scam.
  • Hijackers and Virus Infections — Malware infections of all popular types can be used to spawn links. Ransom notes can include them in their body contents while browser hijackers can institute them in the changed web browser settings.
  • Malicious Setup Files — The hackers can craft malicious installers of popular software. They can be of any type: system utilities, creativity suites or productivity applications. When they are started the Google Docs phishing scam messages will be shown either during the installation or when it is completed.

Google Docs Phishing Scam – In-Depth Overview

When the Google Docs phishing scam message is opened it may request access to the Google account credentials — this is a serious issue as in some cases the shown link is in fact a fake login page. All entered information will automatically be transferred to the hacker operators and they will be able to overtake control of the hijacked accounts immediately.

The contents of the Google Docs phishing scam messages can include various malware contents. Depending on the used scenario the signs and delivery might be different. A prominent example is the automatic launch of built-in script that can load tracking cookies into the web browser. This will allow the malicious operators behind the threat to track the user interactions across all viewed websites. If this is combined with a data harvesting module the extracted information can be grouped into two main groups:

  • Sensitive User Data — These two modules can be used to hijack information that can directly reveal the identity of the victim user. This is done by looking for strings such as their name, address, email address, interests and stored account credentials. In some cases the code can also scan the contents of the local computer not just the browser itself.
  • ID Information — Many of these scripts also assign an unique victim ID to each victim device. It is generated by using input parameters such as a list of the available hardware components, user settings and certain operating system variables.

A large part of the Google Docs phishing scam messages can also lead to infections with cryptocurrency miners. They will take advantage of the available system resources by loading complex mathematical tasks. Whenever one of them is completed and reported to the specified server the operators will receive income in the form of cryptocurrency such as Bitcoin or Monero.

Most of the detected strains have the final goal of delivering malware of all kinds. Popular examples are the following:

  • Trojan Horse Infections — These are among the most dangerous virus infections. The classic scheme is to load a client onto the victim systems that establish a secure connection to a hacker-controlled server. This will allow the criminal operators to overtake control of the infected systems at any given moment. Other possible actions includes the theft of data and the upload of additional threats.
  • Ransomware — These viruses aim to encrypt sensitive user data with a strong cipher. The typical behavior is to use a built-in list of target file extensions. After it completes execution a ransomware note will be crafted. Its contents will blackmail the users into paying a “decryption” fee.
  • Browser Hijackers — Using scripts and various redirects the phishing scam can lead to infections with dangerous web browser extensions. When installed they will redirect the victims to a hacker-controlled site.

Depending on the exact hacker configuration the Google Docs phishing scam tactics may change. It is possible that the stolen information by the hacker groups be stored in shared databases and used late for crimes such as identity theft or financial abuse.

Google Docs Phishing Scam Example — The Shared Document

One of the prominent campaigns made use of SPAM emails that were sent directly to the Gmail inboxes of the targets. They appear as being sent by a contact of the victims or a service announcement. The body contents coerces them into opening the displayed link.

When the users navigate to the link they will be redirected to a rogue website which is designed to appear like a Google sign-in page. If the victims enter in their account credentials they will be automatically sent to the hacker operators. A direct consequence is that the victim’s email inboxes will be scanned for all contacts. Using automated scripts the hijacked scripts will send out the same phishing messages to them.

The victim users may not suspect that their emails have been hacked and continue to send and receive their day-to-day correspondence. In the meantime the criminals will be monitoring all user actions which is especially dangerous if they come across copies of letters, documents or online banking accounts. Such information can be used for various crimes — identity theft, financial abuse, blackmail and etc.

Google Docs Phishing Scam Example — Signed Documents

Another popular technique relies on sending the victims messages that are signed with security certificates. They are coupled by several phishing scenarios that are being by the operators:

  • Financial Documents
  • Contracts
  • Delivery Notifications

As the emails are usually non-personalized and use the same style of writing many of the users will be fooled into interacting with the contents. The delivered payload is usually an infected payload which either contains malicious macros or is a virus file itself.

Google Docs Phishing Scam Example — Google Ads Login Page

A separate Google Docs phishing scam was spotted that shows a document linking to a Google Ads login page. The end goal of the hacker operators is to manipulate them into entering their Google credentials into it. Such messages can be delivered through all popular tactics — email messages, web sites and infected documents.

Some of the examples follow the exact web design template and even customized the links leading to legitimate Google sections. The only difference between the legit and the scam messages is the address and the security certificates. This convincing approach can fool many users into interacting with the script. If any credentials are entered they will be automatically transferred to the hacker operators.

Remove Google Docs Phishing Scam from Windows and Your Browser

If you want to remove the Google Docs Phishing Scam from your computer, we strongly suggest that you follow the removal instructions posted underneath this article. They have been created with the main idea In mind to help you delete this virus either manually or automatically. Be advised that according to experts the best way to try and remove the software that is causing the Google Docs Phishing Scamming pop-ups is to use an advanced anti-malware software. Such program is created with the idea in mind to fully scan your computer and try to eliminate any traces of unwanted programs while protecting your computer against future infections as well.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share