Google Drive Hacked to spew Spam

Early this morning (GMT) I intercepted emails trying to sell a Chinese business signage product that had been spammed to spambait addresses left on web pages. Nothing new there, but having analysed the source I discovered that the Google Drive “cloud” storage system was still being abused to sent them out. I saw the first such incident about a month ago.

Basically the crims are creating a Google Drive account and then sharing it with a large number of people using a custom message. The name of the file becomes the title, and the sales pitch goes in the body:

Dear Sirs,

From internet we know you are leading on AV/TV product reseller field.

Sysview is a digital signage software, capable change your existing smart TV to a digital signage . Sysview features following :

The only surprise about this is that no one has exploited it before. It’s going to be very difficult to filter out without hitting all Google could services, and Google’s “sign-up free without asking questions policy” is going to make it hard from them to tackle.

Come on Google! You’ve had at least a month to get this sorted, to my certain knowledge. Google could be forgiven for failing to secure the system against such abuse in the first place, but I’m not going to. This is a common sense failure.