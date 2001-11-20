a new phishing lure to play with: Google Drive. A flaw in the Drive is being exploited to send out seemingly legitimate emails and push notifications from Google that, if opened, could land people on malicious websites. The scam itself is nothing new—messages asking you to click on dodgy links are as old as the internet itself—but could catch a lot of people off guard.

The smartest part of the scam is that the emails and notifications it generates come directly from Google. On mobile, the scam uses the collaboration feature in Google Drive to generate a push notification inviting people to collaborate on a document. If tapped, the notification takes you directly to a document that contains a very large, tempting link. An email notification created by the scam, which also comes from Google, also contains a potentially malicious link. Unlike regular spam, which Gmail does a pretty good job of filtering out, this message not only makes it into your inbox, it gets an added layer of legitimacy by coming from Google itself.

[...] A Google spokesperson says the company has measures in place to detect new spam attacks and stop them, but that no security measures are 100 percent effective. The spokesperson adds that Google is working on new measures to make it harder for Google Drive spam to evade its systems. Anyone targeted by the scam can report it to Google via the company's support page.

"It's difficult for Google to do anything if the notification is coming from a legitimate account, which is, of course, easy to create," says David Emm, principal security researcher at cybersecurity firm Kaspersky. He adds that, as with all phishing scams, the important is to think before you click. "Avoid clicking on unsolicited links of any kind when sent from unknown sources. If you weren't expecting to receive it and don't know the sender, don't respond."