A number of phishing campaigns were discovered that are employing free Google services to get around email security gateways and make sure the deliverability of malicious messages to inboxes.
Phishing emails frequently consist of hyperlinks that lead users to web pages hosting forms that collect login information. Email security gateways utilize various ways to identify these malicious links, such as blacklists of identified malicious sites, rating of domains, and checking the links to assess the information on the destination site. When the links are found to be malicious or suspicious, the emails are rejected. But by utilizing links to legit Google services, phishers are able to get around these security tools and deliver their emails.
Phishers using Google services are not new; nevertheless, Arborblox security analysts have seen an increase in this activity with the increase of remote working. The researchers discovered 5 campaigns using free Google services like Google Drive, Google Forms, Google Docs and Google Sites. Phishers are not only using Google services. Other free cloud services like Dropbox, Webflow, Amazon Simple Email Service, Microsoft OneDrive and SendGrid are being used as well.
One campaign imitated American Express, with the preliminary message asking the user to validate his account for missing some information during card validation. The emails tell the user to go a phishing page designed with Google Forms. The form contains the official logo of American Express and a brief questionnaire asking for information that the attackers can use to get access to the user’s credit card account – login details, telephone number, credit card number and security code, as well as security questions and responses. Because the hyperlink in the email redirects the user to Google Forms – a legit Google domain and service, it is likely that the email security gateway won’t identify the hyperlink as malicious.
Another campaign using Google Forms sent emails that seem to have been from a childless widow with a terminal cancer diagnosis. She says that she is seeking to donate her wealth to charity and tells the recipient to make donations to charity on her behalf. The URL in the email directs the recipient to an untitled Google Form. Anyone who submits a response will be shortlisted for more extortion attempts.
A campaign was identified that utilized a bogus email login page on Google’s Firebase mobile platform. The emails in this campaign imitate the security team and state that important messages were not delivered because of exceeding the email storage quota. The campaign is seeking to collect email login credentials. Because Firebase is a legit cloud storage database, it is unlikely that a Firebase link will be tagged as malicious.
There was also a campaign using Google Docs that impersonated the payroll team. The Google Docs document included a hyperlink to a phishing page that harvested sensitive information. Since the first link is of a legit and frequently used Google service, email security solutions are not likely to block the email. Although a few email solutions could recognize the malicious hyperlink in the Google-hosted document, different redirects are employed to muddle the malicious hyperlink.
Another campaign using a phony Microsoft login page built on Google Sites impersonated Microsoft Teams and the user’s IT department security team. In this case, Google Sites was used to build a webpage with a phishing form and the official Microsoft logo.
These campaigns emphasize the necessity of advanced security solutions that could identify and stop phishing emails that take advantage of legit cloud services and the necessity of giving employees continuous security awareness training to help them recognize phishing emails that elude detection by the cybersecurity defenses of their companies.