Today I found out that google docs infects html exports with spyware, no scripts, but links in your document are replaced with invisible google tracking redirects. I was using their software because a friend wanted me to work with him on a google doc, he is a pretty big fan of their software, but we were both somehow absolutely shocked that they would go that far.
Title says it all. Somewhat interesting if true. I wouldn’t be surprised either way.
First, scammers used to set up a Google docs with a survey inside Google for users to fill out. Google cracked down on those.
Then, scammers started adding external links to Google docs,so people would see the doc was on Google and trust to click on the link. Google cracked down on those.
Now, scammers are exporting the Google docs webpage and hosting it somewhere else, so it still looks like Google and makes people trust it, but outside of Google’s control. Google is now cracking down on those by replacing every link with a redirect through Google,.so olevwn if the HTML export isnhosted somewhere else, Google gets to scan and block malicious links.
Personally I’m against it (tampering with user data) and I think it’s only going to stop the scammers who forget to replace the exported links, which seem like an easy thing to do.
Sorry if this sounds combative, but I just don’t think I’m understanding what’s going on, I can’t figure out how this could possibly work.
How does that even work though? Like… the exported doc is just a web page, it doesn’t have any google watermarks (except the now invisible ones) marking it as a google web page.
If it’s hosted on an external domain… it doesn’t have the google domain in the URL bar either…
Like how is the scam victim fooled vs a normal web page with the same information… How is a google docs HTML export visually different from a LibreOffice or Microsoft Office HTML export in a way that tricks the scam victim into thinking it’s legitimately from Google and therefore laundering the scammers reputation through Google. Like I know scam victims are generally distracted or otherwise not thinking clearly (or just dumb), but how does this work?
Besides the default font basically any Word Processor HTML export looks the same to a layman, it’s plain black text on a white background with 1in margins. If scam victims trust plain white backgrounds and simple formatting there’s a ton of ways to achieve that effect that bypass Google.
HTML exports are not plain text, they include images, graphs, formatting, tables, links, etc. Google docs is a HTML based editor, so its HTML exports look particularly similar to the original editable doc, which users are used to. Other editors have different looks, and their HTML exports look differently.
Just like scam victims are “dumb”, many scammers are also “dumb”, they barely grasp the technical part of what they’re doing, some just follow a script, but most importantly their focus is on social engineering, not on the tech.
How it works is: a “dumb” scammer writes a Google doc with some links to some scam landing page, gets a HTML export, and hosts it on gōogle.com; a “dumb” victim comes by, thinks “oh, this looks similar to the TPS report from last month”, clicks on a link, and proceeds to fill in their company’s banking information… ✨ well, not anymore! Because Google has replaced the actual link with a redirect in the HTML export that they scan and block when reported to be used by scammers. 🎉
Silly measures against silly scammers of silly victims. 🤷
Those aren’t HTML exports though? Those are direct links to google docs.
First, scammers used to set up a Google docs with a survey inside Google for users to fill out. Google cracked down on those.
Then, scammers started adding external links to Google docs,so people would see the doc was on Google and trust to click on the link. Google cracked down on those.
Now, scammers are exporting the Google docs webpage and hosting it somewhere else, so it still looks like Google and makes people trust it, but outside of Google’s control. Google is now cracking down on those by replacing every link with a redirect through Google,.so olevwn if the HTML export isnhosted somewhere else, Google gets to scan and block malicious links.
Personally I’m against it (tampering with user data) and I think it’s only going to stop the scammers who forget to replace the exported links, which seem like an easy thing to do.
Sorry if this sounds combative, but I just don’t think I’m understanding what’s going on, I can’t figure out how this could possibly work.
How does that even work though? Like… the exported doc is just a web page, it doesn’t have any google watermarks (except the now invisible ones) marking it as a google web page.
If it’s hosted on an external domain… it doesn’t have the google domain in the URL bar either…
Like how is the scam victim fooled vs a normal web page with the same information… How is a google docs HTML export visually different from a LibreOffice or Microsoft Office HTML export in a way that tricks the scam victim into thinking it’s legitimately from Google and therefore laundering the scammers reputation through Google. Like I know scam victims are generally distracted or otherwise not thinking clearly (or just dumb), but how does this work?
Besides the default font basically any Word Processor HTML export looks the same to a layman, it’s plain black text on a white background with 1in margins. If scam victims trust plain white backgrounds and simple formatting there’s a ton of ways to achieve that effect that bypass Google.
Let’s see…
HTML exports are not plain text, they include images, graphs, formatting, tables, links, etc. Google docs is a HTML based editor, so its HTML exports look particularly similar to the original editable doc, which users are used to. Other editors have different looks, and their HTML exports look differently.
Just like scam victims are “dumb”, many scammers are also “dumb”, they barely grasp the technical part of what they’re doing, some just follow a script, but most importantly their focus is on social engineering, not on the tech.
How it works is: a “dumb” scammer writes a Google doc with some links to some scam landing page, gets a HTML export, and hosts it on gōogle.com; a “dumb” victim comes by, thinks “oh, this looks similar to the TPS report from last month”, clicks on a link, and proceeds to fill in their company’s banking information… ✨ well, not anymore! Because Google has replaced the actual link with a redirect in the HTML export that they scan and block when reported to be used by scammers. 🎉
Silly measures against silly scammers of silly victims. 🤷