According to Hypponen, because spreadsheets can contain a variety of functionality, even to the extent of interactive forms, it seems that cybercriminals are now hosting these on the Google Docs system.
Examples, he notes in his latest security blog, include several being hosted on spreadsheets.google.com.
These are, he says, quite nasty attacks, as the phishing pages are hosted on the real Google.com, complete with a valid SSL certificate.
The problem is now, adds Hypponen, how to identify a Google Docs file as a potential phishing exploit.
In an example cited, he says that – initially at least – "the page obviously looks like phishing: it's hosted on the public spreadsheets.google.com server where anyone can host forms."
"And it asks for your Google Voice number, your e-mail address and the secret PIN code. But then, you can also find that apparent Google employees are linking to the form", he adds.
In an interesting piece of crowdsourcing, Hypponen researched the following page via the Twitter microblogging service:
https://spreadsheets.google.com/viewform?formkey=cjlWRDFTWERkZEIxUzVjSmNsN0ExU1E6MA
The consensus on Twitter, he said, seems to be that it's a phishing site, adding that after being contacted by a Google staff member, "the questionable page is indeed the official Google form to request Google Voice account transfer."
"They also told us to remove all references to the form in this blog post. But I'm afraid we can't do that", he noted.