Back to the tech blog overview

Sophisticated Hacker Behind the ‘Google Docs’ Phishing Campaign

Today a new phishing attack began making the rounds in email boxes around the world, taking the form of an email with a link to a Google Doc that the sender has shared with the recipient. The email looks innocent enough, as shown in the image below – I myself received one shortly after the attack was launched – and many people likely clicked the link out of curiosity to see what they received.

Google Phishing Email
Example of phishing email

Google Login
Web page prompting users for Google login

As shown above, the email prompts the recipient to log in to their Google account when clicking the link. When doing so, their Google login credentials become taken over by hacker(s) who can now use them to make purchases with the victim’s Google Wallet, access the victim’s financial and other accounts and compromise their personal information.

At Nominum, our anomaly detection engine picked up the domain, registered as,, and other similar names, at 18:40 UTC – two hours before it was mentioned by Google on Below you can see one of the domains behind this attack, which is masked as a link to Google Docs.

Google Url

This phishing campaign has been quite successful, as you can see from the chart below showing the number of queries to the different associated domains, as we saw in a real-time sample of our worldwide DNS data. From the chart, we can see traffic from these names are aligned and spiked at the same time, which means the attacker carefully planned this phishing campaign.

Data Graphp

Once the domain (and associated domains) were processed by our data science team and proprietary algorithms, they were determined to be malicious and then added to our universal block list. These domains were blocked by our N2 Secure Consumer product – made available to individuals around the globe through their ISP.

The attacker behind this attack is highly sophisticated. Based on whois registration information shown below as an example for docscloud[.]info, we can see that these domains are registered from `namecheap` with anonymous protection, and hosted on `cloudflare` with anycast IP, which makes them very hard to pinpoint and track down.

Registrar WHOIS Server:
Updated Date: 2017-05-03T20:11:37Z
Creation Date: 2017-04-22T10:36:29Z
Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard, Inc.
Registrant Street: P.O. Box 0823-03411
Registrant City: Panama
Registrant State/Province: Panama
Registrant Postal Code:
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email:
Registry Admin ID: C201581253-LRMS
Admin Name: WhoisGuard Protected

Additionally, as shown above the attacker is launching a widespread distributed attack utilizing a broad set of domains, likely in the hopes of throwing off security professionals like ourselves from blocking their activities. Detecting correlations between the different domains is a difficult task, but given the depth of our DNS data, which comes from our telecom customers around the world, we are in a unique position to detect anomalies, identify them as malicious, and take action to block them in order to protect users.

Back to the tech blog overview