An increase in recent phishing & Business E-mail Compromise (BEC) attacks can be traced back to criminals learning how to exploit Google Services, according to research from Armorblox.
Attackers used a variety of Google Services, including Forms, Firebase, Docs etc. to boost phishing & BEC campaigns.
Social distancing has forced businesses to use Google seeking a reliable, simple way to digitise the traditional office.
Armorblox Co-Founder & Head of Engineering Arjun Sambamoorthy just published a report detailing how now-universal services like Google Forms, Google Docs & others are being used by malicious players to give their spoofing attempts a false surface of legitimacy, both to security filters & victims.
“Open APIs, extensible integrations & developer-friendly tools mean that entire virtual offices — complete with virtual workflows — can exist in a Google ecosystem,” Sambamoorthy wrote. “Unfortunately, Google’s open & democratised nature is being exploited by cyber-criminals to defraud individuals & organisations of money & sensitive data.”
The report gives examples of how Google Services help attackers with their malicious schemes.
One campaign used a Google Form & an American Express logo to try & get victims to enter sensitive information.
“Hosting the phishing page on a Google Form helps the initial email evade any security filters that block known bad links or domains,” according to Sambamoorthy. “Since Google’s domain is inherently trustworthy, & Google forms are used for several legitimate reasons, no email security filter would realistically block this link on ‘day zero.’”
Another attack Sambamoorthy found used a phoney letter from a ‘childless widow’ looking for someone to whom she could leave her fortune. The link in the email leads to a Google Form with a blank question field.
In this instance, the Google Form helps attackers with the social engineering strategy, the report observed
“Many people will feel the email is suspicious after going through the content & visiting this dummy form,” he added. “But some people will submit the only option allowed by the form, or they will send a reply to the address provided in the email. This lets attackers to shortlist the naivest & emotionally susceptible email recipients, who will be prime targets for follow-up emails from the childless widow.
Google Firebase, Google Sites & Google Docs
Google’s mobile platform Firebase was used in another scheme to host a phishing page, which allowed it to put through email filters for the same reason – because Firebase is trusted.
In a Google-services-powered payroll diversion fraud scam that Sambamoorthy highlighted, a scam email link sent recipients to a Google Doc file to “confirm” their payment details.
In yet a further attack, an email was delivered to victims, supposedly from their own IT team, asking them to review a secure message on Microsoft Teams from a colleague. The link led to web page with a bogus Office 365 login portal hosted on Google Sites.
“The malice of the page’s intent was hidden behind the legitimacy of the page’s domain,” Sambamoorthy added. “This page would pass most eye tests during busy mornings, which is when the email was sent out, with people happily assuming it to be a legitimate Microsoft page.”
Hijacking Google Services
The ability for malicious players to use Google Services for their activities is starting to appear as a trend.
At the beginning of Nov., researchers found 265 Google Forms impersonating brands like AT&T, Citibank & Capitol One and even government agencies like the Internal Revenue Service & the Mexican Govt. used in phishing attacks.
The forms were removed by Google after researchers from Zimperium reported them.
Days before, scammers were discovered to be using a legitimate Google Drive collaboration to trick victims into clicking on malicious links.
Also, Google Calendar has been abused in the past, in a sophisticated cyber-attack that targeted mobile Gmail users through fraudulent, unsolicited meeting notifications.
Google stresses the company is taking every measure to keep malicious players off their platforms.
“We are deeply committed to protecting our users from phishing abuse across our services & are continuously working on additional measures to block these types of attacks as methods evolve,” a Google spokesperson commented.
The statement added that Google’s abuse policy prohibits phishing & emphasised that the company is aggressive in combating abuse.
“We use proactive measures to prevent this abuse & users can report abuse on our platforms,” the statement outlined. “Google has strong measures in place to detect & block phishing abuse on our services.”
Sambamoorthy added that the security responsibility does not rest on Google alone & that organisations should not rely solely on Google’s security protections for their sensitive data.
“Google faces a fundamental dilemma because what makes their services free & easy to use also lowers the bar for cyber-criminals to build & launch effective phishing attacks,” he explained. “It’s important to remember that Google is not an email security company — their primary responsibility is to deliver a functioning, performant email service.”
Sambamoorthy observed 2-factor authentication (2FA) & maintaining strong passwords with a password manager are the best ways for users to protect themselves. Besides those best practices, the report recommended “rigorous eye tests” of emails “related to money & data.”
Basic Security Policies
Organisations, he suggested, should establish basic security policies & set up mechanisms which are able to adapt to new & evolving threats.
“Security has an important ‘process’ component, so organisations should ensure they have the right controls, checks, and balances in place to protect users & data,” Sambamoorthy observed. “Since these attack patterns are always evolving, organisations should invest in security technologies that have built-in feedback mechanisms. These mechanisms should learn from new attacks & refine detection algorithms with time ”