[nsp-sec] Google spreadsheet phish

Jon Lewis jlewis at lewis.org
Fri Aug 5 11:29:58 EDT 2011 

On Fri, 5 Aug 2011, Chris Morrow wrote:

>> FYI.. I had been watching the one reported by Jon Lewis on 2011-08-02
>> and it still appears to be alive.
>
> yea, the folks that make this happen are apparently... missing
> something. I'll try cluestick methods :(
>
>>
>>> hxxps://spreadsheets.google.com/spreadsheet/viewform?formkey=dEdYRVhlVkJoRUpZaUFsVTVueVVkaWc6MQ
>>
>> The  reason I was watching is, I am wondering how effective the "report
>> abuse" mechanism is working. I am guessing not too well at the moment. :(
>
> SUPPOSEDLY the report gets a person to look at it, there's a
> manual-review team that is SUPPOSED to see these and 'do something'
> (hopefully for the stupidly obvious ones like these just 'close
> account/access'...)
>
> cluestick in flight. (pointy end first this time)

I know GOOG is a behemoth and pretty much everything is done/decided by 
committee, but I think it's time to hurl that clue stick over the heads of 
the people failing to deal with these and get a mandate from higher up the 
food chain that these things must be shutdown with all reasonable haste.

You're providing bulletproof hosting to phishers.  As long as GOOG 
continues to take days (or even just many hours) to shut these down, the 
phishers will continue to abuse your attractive nuisance.

I'm trying to be civil about this...don't make me go RFG all over you[1].

I was curious how these phishing spreadsheets work, so the other day after 
reporting the above one, I went ahead and created one.  It appears the 
results are stored as a spreadsheet.  If there's an option to have the 
input data emailed somewhere on submission, I didn't notice it.

As a simple bandaid for this problem, you might have whatever committee 
considers these things tell the developers that after X number of Report 
Abuse submissions for a spreadsheet, read access to that spreadsheet's 
submitted data should be blocked.  If it's a falsely reported non-phish, 
the spreadsheet's owner will have to work with GOOG to restore their read 
access to the data, and perhaps exempt the sheet from further blocking 
unless its form content is changed.  This could effectively nearly 
immediately shut down phishing spreadsheets (not by taking them down, but 
by not providing the phish data to the phishers), assuming enough spam 
recipients are willing to go to the spreadsheet and report it, and you 
keep X small enough.

As it is, with report abuse and reports here resulting in no action [at 
least for several days] I have to wonder if it's worth my time to bother 
doing either.

[1] if you don't understand, don't worry...you're better off that way.

----------------------------------------------------------------------
  Jon Lewis, MCP :)           |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

More information about the nsp-security mailing list