July 30, 2015 By Douglas Bonderud 3 min read

In March of 2014, cybercriminals ran a campaign of Google Drive phishing attacks designed to grab user credentials and gain complete account access. According to Threatpost, researchers at Elastica Cloud Threat Labs have discovered a new effort with eerily similar traits but one significant update: Additional code is now being used to obfuscate the attempted theft. Here’s a quick rundown of the newest Google threat.

Seems Legitimate

With their new effort, attackers hope to trick users into clicking on a provided Google Drive link and enter their login credentials. But how are savvy users getting taken in by this kind of scam? It has to do with Drive itself. While most people use the service to store spreadsheets, photos and text documents, it’s also possible to host entire websites or single Web pages.

As noted by CSO Online, that’s the bait and switch: Drive is used to host a simple Web page that looks like the Google account login screen and asks for user credentials. Extra code is used to obfuscate JavaScript on the page, which collects login credentials and then forwards them to another website.

From the user perspective, everything seems above board. First, they receive an email saying a trusted contact or unknown entity wants to share a Drive document with them. Clicking the link takes them to a fake Google login page — but one that’s actually hosted by Google Drive itself. What’s more, the page also uses Google’s HTTPS and SLL certificate, making it almost impossible to distinguish from the real thing. Once users enter their username and password, they’re redirected to a PDF document, making the entire scam appear legitimate. Account login information, however, is long gone.

According to Aditya K. Sood of Elastica Cloud Threat Labs, there are a few telltale signs that the attack isn’t a legitimate sharing request. First is the header on the fake Drive page, which reads “Google Drive. One Storage.” What it should say is “One account. All of Google.” In addition, the fake page isn’t set up to actually check credentials; it simply sends them along to another server. This means that if users enter the wrong login and password, they’ll still be taken to off-site PDF documents. Finally, there’s a “Create an Account” link that simply reloads the current page.

Phishing Attacks in a Big Pond

While Sood and her colleagues immediately brought the phishing attacks to Google’s attention, this form of compromise continues to be a popular attack vector. According to Firstpost, for example, phishing attacks triggered a “massive surge in DNS threats” through Q2 of 2015, hitting a record high of 133 on the Infoblox DNS Threat Index during the quarter, almost tripling the score of Q2 2014.

While agencies are doing their best to combat phishing scams, many aren’t even sure what they’re looking for. After the recent U.S. Office of Personnel Management (OPM) breach in April, for example, the U.S. Army flagged an email from identity protection firm CSID as a phishing attempt even though the company was employed by OPM to offer affected workers their services. While the email did share some traits of classic phishing scams — such as a dot-com address instead of dot-gov, as would be expected, a link that asks for personal information and clickable “Enroll Now” button — a quick look at the OPM’s official website would have cleared up any confusion.

There’s a massive pool of users leveraging countless secure and not-so-secure online services, giving malicious actors the ability to pick and choose what type they’ll reel in on any given day. As user knowledge increases, however, cybercriminals are turning to obfuscation and subtle misdirection to gain access — to the point that even large-scale government agencies can’t tell the difference. Best bet? Assume there’s a hook at the end of every unsolicited email — it’s never worth the risky bite.

More from

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today