InBoxRevenge KS Forum

On a PhishTank mailing list, several people who evaluate potential phishing scams are expressing dismay because they suspect that Google has stopped removing phish from doc.google.com/speradsheets/ pages.

I can neither confirm nor refute the suspicions; I am only passing along the concerns in case some readers may be interested. I am aware the the situation coincides with the Easter weekend; perhaps Google's staffing level fell too low to handle the volume of complaints.

My personal experience is that when you do the following:

- Click the link at the bottom of the offending form that says "report abuse"
- Post the form. (I do it a few times to drive the point home.)

They do shut it down. It takes at least 24 hours, but they do shut it down.

SiL

At least two people have been requesting that Google shut down the following page since 5-April or earlier.

https://docs.google.com/spreadsheet/viewform?formkey=dEhFVUdhVWpzeF9BcjNyOGl2UHJMOVE6MQ

I can easily understand why they think that the page is suspicious because it is labeled "Yahoo!© Service" and it collects Yahoo account log-in data.

Added my tuppence worth, for
https://docs.google.com/spreadsheet/vie ... UHJMOVE6MQ

Thanks for reporting abuse

Your abuse report has been submitted and will be processed as quickly as possible.

Where's the flash mob?

https://docs.google.com/spreadsheet/vie ... YXhma2c6MQ

This one was reported on April 3rd. Repeatedly by clicking on "Report Abuse", by a notification to Google's abuse desk from my SpamCop-report and by a suspension-requests (from 2 different e-mail accounts) to Google's abuse desk (Google Help), with the full UBE attached.

The form in Thai language collects Hotmail and Live account log-in data, and was used in a spam which was sent to over 2,500 Hotmail and Live accounts. The form itself does not mention Hotmail, but the nature off the phishing attempt was clear from the spam-message (which Google has received 9 days ago!!).
Just like in the links provided by NB and Red, passwords entered in the form are not masked.

I want to add that since about 2 weeks, Google does no longer suspend Thai ('work-from-home') scam-links, no matter how many times the "Report Abuse" link has been clicked using different IP-addresses and browsers.
I can understand that if a form contains very little information (and in Thai) that such forms may not be recognized as scam/spam-forms by Google. For that purpose Google has a report&appeal form, where one can enter - a little- extra information, at:

http://docs.google.com/support/bin/requ ... h=Continue .

When my Thai spouse had used that link just a few times, and mentioned that the scam-link had not been suspended despite several "Report Abuse"-clicks, she received mails from Ana from "Google Help" . 1st Telling my wife NOT to use that form but ONLY to report spam by clicking on "Report Abuse" (ignoring the fact that such had already been done, but without response). After the next one, my wife was informed by Ana that she was abusing the "report&abuse"-forms(??), and that because of that, Ana had marked my wife's e-mail address as "spammer", and that further reports from her would therefore not be read.

I myself have not gotten a notification that my address also is considered as spam-address, but I fear it is, because even my notifications through SpamCop-reports now are ignored.

In the late 1980's, I received a similar threat from some functionary at the University of California at Berkeley because I had sent two complaints about two spam incidents within a month. (The Berkeley system had been relaying many more spam messages to me.) I then notified the head network administrator at Berkeley of the irregular performance, but I never received a reply. I don't know if my email address was really banned from Berkeley, but I probably still have my email preferences set to refuse berkeley.edu

Call off the flash mob

We're sorry. You can't access this document because it is in violation of our Terms of Service.
Find out more about this topic at the Google Docs Help Center.

https://docs.google.com/spreadsheet/viewform?formkey=dEhMNnNmUkxzYjBfYzU2c0VnYXhma2c6MQ also reported. Tuppence more.

I hope that Red has more luck with that one, as I got the impression that Google has decided to ignore Thai scam-links.
This one - 'work-from-home' -was spammed on April 7th, and because it was not suspended despite numerous reports, it was used again in a spam from April 12th (and reported again and again):
https://docs.google.com/spreadsheet/vie ... UmREeGc6MQ

My compliments to the flash mob.

The problem here is that it is not an obvious phish, requesting a password for an email address. It could be seen to be innocuous. Translation

Red wrote:


Yes, I am aware that the form may look innocent, as this time no minimum age of 15 and also no ridiculous high incomes - for Thai standards - are mentioned. The original spam-message had as usual of course no contact details or company name.

Moreover, though the scam-nature of the form may not be clear, it has been reported and appealed through Google's "report&abuse"-form, and should therefore have been suspended for spamming. I have seen spammed scam-forms in the past that were even less detailed than this one, but were still suspended by Google.

As mentioned earlier, it looks like Google no longer responds on ANY spam-report if the form is in Thai language. The form which obviously collects account log-in data from Hotmail (Google does have the full UBE) is after 12 days also still not suspended. Hotmail/Live did reply to me that they had taken appropriate action on that spam, but I don't know which action.

Technically, to be "phish," it has to spoof some known website that people would normally trust.

It sounds like this is a money mule scam. If it is reported as phish and there is no recognizable brand involved, it may not get action. It would have to be reported for some other infraction.

It is hard to prove a job scam is really fraudulent. If you can't provide evidence a host could rely on if the terminated client filed a lawsuit, they're probably not going to want to touch it.

Not one of these spams looks like a money mule scam. I have not seen any form (or spam-message) of these scams that asked people if they had a bank-account, or a request to provide one.

The text of the spam-message was:

Previous spams were more specific, suggesting that with part-time jobs salaries of Thb 15,000 p/m could be earned, and with full-time activity even 60,000 p/m (= about 2,000 US$). In such cases the scam-nature was evident, because the average Thai earns about Thb. 9,000 p/m working 60 hours per week. Also often a fake company-name was used; a notorious one being Hy Ads.biz (also spelled as HyAds.bizz). One of these forms was never suspended though it dates from 2011-06-30:
https://spreadsheets.google.com/spreads ... NDJ1MVE6MQ

Later scam-forms from HyAds were all suspended by Google. For a short while, Google was quite responsive suspending all reported forms within about 12-24 hours. These scams than stopped using Google and abused the services from Emailmeform.com, Jotform.com, Yolasite.com and Weebly.com. All of these companies suspended the spam-links way faster than Google; EMF.com as fast as within 30 minutes of having received the spam-report. After Google started getting slower again the spams alternating used Google and 2 of the mentioned form-providers. Now Google has stopped suspending Thai links, none of the other providers is being used anymore.

I also wonder what lawsuits Google would have to fear. It is not allowed to use docs/spreadsheets.google for spam. And that all links I have mentioned were spammed is a fact that can easily be proven by the original UBE's (which I can provide).

Edit: I think I should not have mentioned the 'work-from-home'-scams in this phishing-thread, as they are rather a kind of "advance fee-"scam; not the 419-style, but scams in which one has to pay, to get a job that does not exist, or for mailing-lists that are just harvested e-mail-lists. Maybe a new thread "doc.google.com/spreadsheets scams" or just "doc.google.com/spreadsheets spam" should be created, and the posts moved there?

All the reported spam-links I have mentioned above are now suspended by Google (except from the obsolete one from August 2011).

My thanks to the flash mob!! (and to my Indian friend from the UK, who included a link to this forum-thread in his report to GoogleHelp )

Here is a recently expressed personal opinion of an extraordinarily capable PhishTank volunteer moderator