Cyber-criminals are sending malicious links to 100s of 1,000s of users via Google Drive notifications.
Scammers are using a real Google Drive collaboration feature to fool users into clicking on malicious links.
Attackers are using this feature to send mobile users Google Drive notifications that invite them to collaborate on documents, which then contain malicious links.
Because they are sent via Google Drive, the notifications come from Google’s no-reply email address, making them appear more legitimate. Other forms of the attack are sent via email (instead of by notification) & contain the malicious link right in the email.
“Interesting TTP utilising Google Sheets, ultimately ending up with generic prize scams,” observed a cyber-security expert who goes as Jake (or @JCyberSec) on Twitter. “Google sheets slide was shared with an email address causing a pop-up notification on mobile.”
Google sheets slide was shared with an email address causing a pop-up notification on mobile.
Link leads to 🌐https://clck[.ru/RWen6 pic.twitter.com/RZPQNxuV0Y
— Jake (@JCyberSec_) October 21, 2020
The attack is targeting 100s of 1,000s of Google users, according to WIRED. The report said that the notifications are being sent in Russian or broken English.
The Google Drive notifications come with various lures. Many purport to be “personal notifications” from Google Drive, with 1 lure entitled “Personal Notification No 8482” telling the victim they have not signed into their account in a while.
These threaten that the account will be deleted in 24 hours unless they sign in via a malicious link. A further, called “Personal Notification No 0684,” tells users they have an “important notice” of a financial transaction that they can view on their personal account, via a link.
One pretends to be a run-of-the-mill prize scam that claims to be part of a “Chrome Search contest 2020” & tells victims that they are the 5-billionth search & have won a prize.
These links direct victims to malicious scam websites. WIRED reported that 1 such website flooded users with notifications to click on links for “prize draws,” while other websites requested that victims click on links to “check their bank account.”
Targeted users went on Twitter to warn of the scams, with a Twitter user saying that the only ‘red flag’ of the scam was that he wasn’t expecting a shared doc.
‘I have received a few of these emails in the last 2 weeks. It is a serious breach because the Google Drive/Docs notifications come from Google’s no-reply email address.
I knew the notifications were scams because I was not expecting any shared doc. Be careful guys. https://t.co/qKppMASZcg
— Abubakar Idris (@IAtalkspace) November 1, 2020’
A Google spokesperson told WIRED that the company is working on ‘new security measures’ for detecting Google Drive spam.
With the amount of working from home due to the pandemic, attackers are increasingly using collaboration & remote-work tools, including Google products. In May, researchers warned of a series of phishing campaigns using Google Firebase storage URLs. These used the reputation of Google’s cloud infrastructure to fool victims & evade secure email gateways.
In addition, researchers in October warned of a phishing campaign that pretends to be an automated message from Microsoft Teams. In reality, the attack stole Office 365 recipients’ login credentials.
“This scam wave highlights the need for users to be on the lookout for email-borne attacks,” cautioned Tripwire researchers. “Organisations can help their users in this regard by educating them about some of the most common types of phishing attacks that are in circulation today.”