Product request is a phish to get email account login details in a Google Docs lay out

MX Lab,, has intercepted emails with a request for a product that is in fact an phishing attempt in order to get the email account login details in a Google Docs lay out.

The email comes with the subject “RE: Urgent Order” and is in this case sent from the email address “David Brown <>”.


We understand there might be a little difficulty in opening the file which was attached for the product sample which is why we have decided to open a Google document account. Please this product is needed urgently and we are ready to transfer all payment as soon as agreement is reach between the two parties.

Please visit our google document page to view the product below. You will be required to sign in to view it, if you do not have a Google or Yahoo account you can choose “Other Email” to sign in and view it. You can call or email us as soon as possible. Also you can either click or copy the link to a URL


We do await your immediate response concerning this product.

Thanks for your response one more time.

God bless you.

David Brown

Golden Packs Group of Company
4023 Park Blvd
Wildwood, New Jersey 08260
United States
Contact No: +1 (254) 935-9787

The Google Docs URL contains the value hxxp:// that redirects you to hxxp://

However, the Google DOcs URL is also active.

In both cases, you will get the following page.

You will get a popup to fill in your email address and password when you select one of the email providers.

Afterwards, the Google Doc page will be openend with the message:

Please Check out this product and do let us know if you have it or anyone who produce it as soon as possible

Below the full content of the page.

MX Lab recommends not to open or follow Google Docs URLs when the sender can not be verified or when the message itself looks suspicious.

8 thoughts on “Product request is a phish to get email account login details in a Google Docs lay out

  1. I went to the link before I realized it was a virus… Now my email account did the same thing and sent it to more people, is there anything I can do?

  2. I got this from a collegue and I mistakenly opened it; three days later my entire address book was deleted. BEWARE!

  3. I received an email from the same address with the same phone number, but it was from Stephen A Seedorf, and it did not have a link but instead had a zip file attached. The language in the email was different, but still appeared so broken that it looked like a scam.

  4. I got one from David Simpson stating that they had read my profile and wanted to invest in my business. A Zip file was attached. Seemed more legit than other scammer emails. Didn’t download the Zip and searched the net first by the address included in the email. Thanks for starting this thread there wasn’t any other warning regarding the contents of the email

  5. Got the same email from David Simpson with a zip file attached. Luckily my ipad doesn’t know how to open a zip file. 🙂

  6. I got this today by the same email address:


    Attached is a report on your 2013 tax refund, we need you to go through the pdf attachment to view the tax refund report.

    Kindly advise your decision regarding this report for immediate processing. Thank you.

    Tax Credit Office
    PR1 4AT
    0345 300 3900
    Opening hours
    8.00 am to 8.00 pm, Monday to Friday
    8.00 am to 4.00 pm Saturday

Comments are closed.