Threat Actors Use Google Drives and Docs to Host Novel Phishing Attacks

mitchell luo jz4ca36oJ M unsplash

 

On Thursday, researchers at email and collaboration security firm Avanan revealed that attackers are using standard tools within Google Docs/Drive that delivers malicious links aimed at stealing victims’ credentials. 

In a blog post, Avanan said attackers are bypassing link scanners and are dodging common security protections that aim to verify the links sent via email. Jeremy Fuchs, marketing content manager at Avanan, said this is the first time they have seen hackers employing these types of attacks through a Google-hosted document service. Usually, attackers lure their victims to a legitimate website before exploiting a particular website. 

According to the report published by Trend Micro, phishing remains the top threat vector in today’s cybercrime scene. Of the 62.6 billion cyber-threats analyzed by Trend Micro last year, over 91% were sent via email. Previously, attackers have used the attack vector in smaller services such as MailGun, FlipSnack, and Movable Ink, according to Avanan. 

According to researchers, once the hacker publishes the lure, “Google provides a link with embed tags that are meant to be used on forums to render custom content. The attacker does not need the iframe tags and only needs to copy the part with the Google Docs link. This link will now render the full HTML file as intended by the attacker and it will also contain the redirect hyperlink to the actual malicious website.”

The hackers then use the phishing lure to get the victim to “Click here to download the document.” Once the victim clicks, the page redirects to the actual malicious phishing website through a web page designed to mimic the Google Login portal. Friedrich said Avanan researchers also spotted this same attack method used to spoof a DocuSign phishing email. In this case, the “View Document” button was a published Google Docs link that actually was a fake DocuSign login page that would transmit the entered password to an attacker-controlled server via a “Log in” button.

 “Combining this tactic with social engineering could create a very convincing campaign where the attacker can swipe personal or corporate login credentials. Threat actors know that stealing legitimate login credentials is the best way to discreetly enter an organization’s infrastructure. Once the attacker has those login credentials and can log into the cloud platform, they’ve chosen to build their campaign around, there’s no limit to what data they could exfiltrate,” said Hank Schless, senior manager, security solutions at Lookout.

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source