[BreachExchange] Threat Actors Use Google Docs to Host Phishing Attacks
Sophia Kingsbury
sophia.kingsbury at riskbasedsecurity.com
Thu Jun 17 11:53:41 EDT 2021
https://threatpost.com/google-docs-host-attack/166998/
Threat actors are exploiting Google Docs by hosting their attacks within
the web-based document service in a new phishing campaign that delivers
malicious links aimed at stealing victims’ credentials.
Researchers at email and collaboration security firm Avanan discovered the
campaign, which is the first time they said they’ve seen attackers use this
type of exploit in Google’s hosted document service, according to a report
published Thursday by Jeremy Fuchs, marketing content manager for Avanan.
By hosting attacks in this way, attackers can bypass link scanners and
evade detection from common security protections that aim to verify that
links sent via email are legitimate. Previously, attackers have used the
attack vector in smaller services such as MailGun, FlipSnack, and Movable
Ink, according to Avanan.
Attack Vector
The attack begins with an email that includes a message that could be
relevant to business users who commonly use Google Docs within their
corporate environment. In the example shown in the report, the message
claims the link contains a set of “new rules for June 25.”
If a user clicks on the link, the page appears familiar to anyone using
Google Docs to share documents outside the organization, Fuchs said.
“This, however, isn’t that page,” he wrote. “It’s a custom HTML page made
to look like that familiar Google Docs share page.”
Once redirected, potential victims are asked to “click here” to download
the document. If a user clicks, the page redirects to the actual malicious
phishing website, which steals the victim’s credentials using another web
page made to look like the Google Login portal but which is actually hosted
from a URL clearly not affiliated with the tech giant.
Attack Hosted by Google
The trick to creating the attack vector is that the heavy lifting of the
campaign is done by Google Docs, making it “quite simple to execute,” Fuchs
explained.
First an attacker would write a web page that resembles a Google Docs
sharing page, and then upload that HTML file to Google Drive. Once the file
is scanned, Google renders the HTML into a preview page that looks very
much like a typical Google Docs page.
An attacker then can right-click on the uploaded file and open it in Google
Docs, which is where the simple yet integral aspect of the attack takes
place, Fuchs wrote.
“This is the clever bit because if you simply click ‘Get link’ you would
only see the source code of the file, not the rendered version,” he wrote.
However, by manipulating Google Docs, attackers are able to successfully
render the malicious page rather than deliver a page with just source code
to a potential victim, which would not be effective.
Final Deployment
Researchers must take one more step to have the file render in a way that a
victim will recognize by selecting “Publish to the Web” from the Google
Docs “File” dropdown menu.
Then by hitting “Embed” and “Publish,” Google will provide with embed tags
that are meant to be used on its own forums to render custom content but
which the attacker can use—minus the iframe tags—to save the malicious link
intended to be sent via the phishing campaign.
“This link will now render the full HTML file as intended by the attacker
and it will also contain the redirect hyperlink to the actual malicious
website,” Fuchs explained.
Avanan researchers also spotted the same attack method being used by threat
actors to spoof a DocuSign phishing email, he added. In this case, the
“View Document” button was a published Google Docs link that actually was a
fake DocuSign login page that would transmit the entered password to an
attacker-controlled server via a “Log In” button, Fuchs wrote.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210617/5d307ebc/attachment.html>
More information about the BreachExchange
mailing list