Attackers create phishing lures with standard tools in Google Docs to steal credentials

Cyber Security News

The Google campus in Mountain View, California. (brionv, CC BY-SA 2.0 https://creativecommons.org/licenses/by-sa/2.0, via Wikimedia Commons)

Researchers on Thursday reported that hackers are using standard tools within Google Docs/Drive to lead unsuspecting victims to fraudulent websites, stealing credentials in the process.

In a blog post, Avanan said hackers are bypassing static link scanners by hosting their attacks on publicly-known services.

Gil Friedrich, co-founder and CEO of Avanan, said his team has seen this in the past with small services like MailGun, FlipSnack and Moveable Ink, but this was the first time they’ve seen these type of attacks through a major service like Google.

“Usually, hackers will lead their victims to a legitimate website, which means they have to hack into that site,” said Friedrich. “Here, everything is done within Google in a five-step process.”

According to Avanan blog, once the attacker publishes the lure, “Google provides a link with embed tags that are meant to be used on forums to render custom content. The attacker does not need the iframe tags and only needs to copy the part with the Google Docs link. This link will now render the full HTML file as intended by the attacker and it will also contain the redirect hyperlink to the actual malicious website.”

The attacker then uses the phishing lure to get the victim to “Click here to download the document.” Once the victim clicks on the link, they are redirected to the actual malicious phishing website where their credentials are stolen through a web page designed to mimic the Google Login portal. Friedrich said Avanan analysts also spotted this same attack method used to spoof a DocuSign phishing email.

This incident shows how easily somebody can build a convincing phishing page without having to be an experienced software engineer, said Hank Schless, senior manager, security solutions at Lookout.

“Combining this tactic with social engineering could create a very convincing campaign where the attacker can swipe personal or corporate login credentials,” Schless said. “Threat actors know that stealing legitimate login credentials is the best way to discreetly enter an organization’s infrastructure. Once the attacker has those login credentials and can log into the cloud platform they’ve chosen to build their campaign around, there’s no limit to what data they could exfiltrate.”

Schless added that security teams need to implement an endpoint-to-cloud security strategy based on zero trust to keep up with today’s modern threat landscape. “Assuming that no device or user can be trusted until proven otherwise can prevent attacks before they even begin,” he said.

Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, said security professionals make a major mistake when they assume that other personnel and staff have the same understanding of good cyber hygiene as they do.

“Frankly, the average worker isn’t trained in cyber hygiene and best practices, making them easy prey for cybercriminals looking to access an organization’s networks quickly and easily via a phishing attack or clever social engineering,” Carson said. “Ensuring that employees at every level are given sufficient training on how to identify malware-laced emails and other rudimentary attempts at credential theft can be a major step to help reduce the success rate of an attack or at least raise an alert. And by normalizing training within the culture of the workplace, organizations can help maintain vigilance for these practices long- term.”