If you use Google Drive for your customers or team, be aware that a new phishing attack launched today. The base domain that is sourcing the attack is blackburnsmed (dot com). We discovered this by looking at the source code in the email we received. (See image below.)
This attack is sent under the guise of a highly trusted, frequent contact. It isn't the normal spammy content that is easy to spot... It appears to be a legitimate request to share content from your trusted contact's google drive. (See image below.)
When the recipient clicks on the link, it displays an innocent looking .pdf document with a download link. The branding is clever, and passes an ordinary consumer's 'sniff test'.
When the viewer clicks on the download button, it launches a .php script that directs them to log in with their email account to complete the download. (See image below.)
The recipeint selects the type of account to log in with, and what looks like a regular login screen appears. Account credentials are logged the moment the user logs in. :-(
Note: This screen is the one context clue that might alert an end user to trouble... Why would google drive require login with yahoo, aol, windows, or other email accounts?
End users with google drive accounts will automatically be logged in to google drive, and may be confused about why the 'document' didn't download, or why it doesn't appear in their account. Curiosity may lead them to repeat the process using a different account credentials, which exposes yet another email account and password to the hackers.
We have reported this to Google.
If you have fallen victim to this scam, change all of your passwords immediately.
For agents who are smarter than the average bear, we can highly recommend http://pdfmyurl.com/ as a method of pre-screening websites and embedded links without actually surfing to them on your machine. This is what we used to collect our screenshots for this post.