July 30, 2015 By Douglas Bonderud 3 min read

In March of 2014, cybercriminals ran a campaign of Google Drive phishing attacks designed to grab user credentials and gain complete account access. According to Threatpost, researchers at Elastica Cloud Threat Labs have discovered a new effort with eerily similar traits but one significant update: Additional code is now being used to obfuscate the attempted theft. Here’s a quick rundown of the newest Google threat.

Seems Legitimate

With their new effort, attackers hope to trick users into clicking on a provided Google Drive link and enter their login credentials. But how are savvy users getting taken in by this kind of scam? It has to do with Drive itself. While most people use the service to store spreadsheets, photos and text documents, it’s also possible to host entire websites or single Web pages.

As noted by CSO Online, that’s the bait and switch: Drive is used to host a simple Web page that looks like the Google account login screen and asks for user credentials. Extra code is used to obfuscate JavaScript on the page, which collects login credentials and then forwards them to another website.

From the user perspective, everything seems above board. First, they receive an email saying a trusted contact or unknown entity wants to share a Drive document with them. Clicking the link takes them to a fake Google login page — but one that’s actually hosted by Google Drive itself. What’s more, the page also uses Google’s HTTPS and SLL certificate, making it almost impossible to distinguish from the real thing. Once users enter their username and password, they’re redirected to a PDF document, making the entire scam appear legitimate. Account login information, however, is long gone.

According to Aditya K. Sood of Elastica Cloud Threat Labs, there are a few telltale signs that the attack isn’t a legitimate sharing request. First is the header on the fake Drive page, which reads “Google Drive. One Storage.” What it should say is “One account. All of Google.” In addition, the fake page isn’t set up to actually check credentials; it simply sends them along to another server. This means that if users enter the wrong login and password, they’ll still be taken to off-site PDF documents. Finally, there’s a “Create an Account” link that simply reloads the current page.

Phishing Attacks in a Big Pond

While Sood and her colleagues immediately brought the phishing attacks to Google’s attention, this form of compromise continues to be a popular attack vector. According to Firstpost, for example, phishing attacks triggered a “massive surge in DNS threats” through Q2 of 2015, hitting a record high of 133 on the Infoblox DNS Threat Index during the quarter, almost tripling the score of Q2 2014.

While agencies are doing their best to combat phishing scams, many aren’t even sure what they’re looking for. After the recent U.S. Office of Personnel Management (OPM) breach in April, for example, the U.S. Army flagged an email from identity protection firm CSID as a phishing attempt even though the company was employed by OPM to offer affected workers their services. While the email did share some traits of classic phishing scams — such as a dot-com address instead of dot-gov, as would be expected, a link that asks for personal information and clickable “Enroll Now” button — a quick look at the OPM’s official website would have cleared up any confusion.

There’s a massive pool of users leveraging countless secure and not-so-secure online services, giving malicious actors the ability to pick and choose what type they’ll reel in on any given day. As user knowledge increases, however, cybercriminals are turning to obfuscation and subtle misdirection to gain access — to the point that even large-scale government agencies can’t tell the difference. Best bet? Assume there’s a hook at the end of every unsolicited email — it’s never worth the risky bite.

More from

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today