How phishing attacks are exploiting Google's own tools and services

Cybercriminals are taking advantage of Google’s open and accessible online tools to skirt past the usual security filters, says Armorblox.

Image: iStockphoto/weerapatkiatdumrong

One of the primary challenges facing any type of cyberattack is getting past security defenses. And one way attackers manage this feat is by using legitimate services to carry out different phases of a campaign. A blog post published Thursday by cybersecurity firm Armorblox details how phishing campaigns are using some of the technologies available from Google and offers advice on how to protect yourself.

SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)

In the post entitled “OK Google, Build Me a Phishing Campaign,” Armorblox’s co-founder and head of engineering, Arjun Sambamoorthy, explains that Google is a ripe target for exploitation due to the free and democratized nature of many of its services.

Adopted by so many legitimate users, Google’s open APIs, extensible integrations, and developer-friendly tools have also been co-opted by cybercriminals looking to defraud organizations and individuals.

Specifically, attackers are using Google’s own services to sneak past binary security filters that look for traffic based on keywords or URLs. The blog post outlines five different phishing campaigns to illustrate how Google is being exploited.

American Express credential phishing

In this campaign, attackers deploy phishing emails impersonating American Express Customer Care, telling recipients that they left out certain information while validating their credit card. The email includes a link to a phishing page where people can add the missing information to validate their card.

Asking for such details as login credentials, card numbers, and mother’s maiden name, the phishing page is hosted on a Google form. As such, the initial email is able to bypass any security filters that look for bad links or malicious domains. Since Google’s own domain and Google forms are both trustworthy, a typical security filter would let this email pass through.

Benefactor scam reconnaissance

This campaign uses a well-known and obvious tactic by impersonating a childless widow who wants to part with a lot of money but has nowhere to send it. The email asks people who want to receive the money to click on a link or reply to the sender’s address.

The link takes recipients to an apparently empty Google form with an untitled question and one answer option (Option 1). Though this seems like a mistake on the part of the attackers, this type of form is actually a common reconnaissance technique, according to Armorblox. Unsuspecting users will either submit the dummy form or reply directly to the sender. These responses help the attackers narrow down their potential victims to the most naive and emotionally susceptible recipients.

Security team impersonation

In this one, cybercriminals spoof an organization’s security administration team with an email telling the recipient that they’ve failed to receive some vital messages because of a storage quota issue. A link in the email asks the user to verify their information in order to resume email delivery.

The link in the email leads to a phony login page hosted on Firebase, Google’s mobile platform for creating apps, hosting files and images, and serving up user-generated content. This link goes through one redirection before landing on the Firebase page, confusing any security product that tries to follow the URL to its final location. As it’s hosted by Google, the parent URL of the page will escape the notice of most security filters.

Pay-slip scam

For this campaign, attackers impersonate an organization’s payroll team with an email sent to employees with pay-slip details. The message contains a link for recipients click to verify that the personal information for their pay slips is correct. The link in the email goes to a page hosted on Google Docs with the aim of tricking both the user and traditional security filters.

Microsoft Teams credential phishing

In this campaign, the phishing email claims to come from an organization’s IT team, asking recipients to review a secure message shared by colleagues using Microsoft Teams. Clicking the link takes users to a page designed to look like a Teams page, which then redirects them to a credential phishing site that resembles the Office 365 login portal.

Behind the scenes, the Office 365 login portal is hosted on Google Sites, a wiki and web page creation tool. This page would pass muster with many people, according to Armorblox, especially on a busy morning when the initial phishing email was actually deployed.

Recommendations

To help you protect yourself and your organization from these types of phishing attacks, Armorblox offers the following four tips:

Follow 2FA and password management best practices. Because all workplace accounts are closely interlinked, losing access to your Google account can be dangerous as cybercriminals can send emails in your name to your customers, partners, and loved ones. If you haven’t already, follow these hygiene best practices. To better secure your account, use two-factor authentication (2FA), store your account passwords with a password manager, and don’t repeat passwords across accounts or use generic passwords.

Subject sensitive emails to rigorous eye tests. Whenever possible, engage with emails related to money and data in a rational manner. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. why is this childless widow willing to send me millions of dollars?).

Create your own lines of authentication. Try to replicate 2FA, even in a loose sense, for any email that makes unusual requests related to money or data. For example, did your HR rep just email you some payroll details with a Google Doc requesting more information urgently? Call or text the HR rep and confirm that they sent the email.

Augment native email threat detection with additional controls. To augment existing email security capabilities (e.g. Exchange Online Protection for Office 365 or the Advanced Protection Program for G Suite), organizations should adopt technologies that take a different approach to threat detection. Rather than searching through static lists and blocking known bad domains, these technologies should learn from custom organizational data and be able to stop socially engineered threats that contain zero-day payloads like Google Forms, Docs, or pages built on Google Sites.