Phishing Example: Google Doc Phishing Message

May 3, 2017

Why is this a Phishing message?

What appears to be a global wide-spread Internet worm hit the campus in the form of a phishing email message.  The message slipped through normal spam filters as the worm virus spread to email accounts in the "berkeley.edu" domain, so that receipt of the message to campus mailboxes was also widespread.

The message was a forgery of the common message notification received when a Google Doc is shared, but there are a couple of obvious indicators that this message is a fake:

  • The recipient address in the message is very suspicious:  hhhhhhhhhhhhhhhh@mailinator.com
  • The actual recipient's address is included in the "Bcc" line - why would a notification about a shared Google Doc be blind-carbon-copied to someone?

The following announcement was posted to campus concerning this incident:  Global Google Phishing Alert

Please contact Campus Shared Services IT by calling 510-664-9000 or itcsshelp@berkeley.edu if you have questions about this incident.

Original Message:

From:  XXX@berkeley.edu
Subject:  XXX has shared a document on Google Docs with you
To:  hhhhhhhhhhhhhhhh@mailinator.com
Bcc:  Me

XXX has invited you to view the following document:

Open in Docs

Warning:  The links and email addresses included in these messages are from real-life examples, do not attempt to explore them.

The most dangerous links have been removed - you can hover your cursor over these links to see the original address in a pop-up techtip (instead of in the corner of the browser window).

Report suspected phishing emails to phishing@berkeley.edu. Be sure to include the entire text of the message, including the email header.