In a Nutshell

Our system has been identifying phishing campaigns on an hourly basis. In this blog, we will show how attackers take their creativeness to the next level, by leveraging Google services in order to orchestrate new types of phishing attacks. 

The trend described below is comprised of two new techniques: 

  • Leveraging Google APIs and Google Sites as the hosts of phishing attacks
  • Smartly designed phishing attacks using Google Docs and Google Forms

Explanation

Perception Point identified this new trend with our advanced email traffic analysis along with data gathered by our Incident Response and Research teams. We spotted this new type of attack across all of our customers, with over 100 attacks successfully intercepted in the last 7 days.

The examples provided below are only a few of many phishing campaigns we have seen targeting our customers and their key employees. 

  • “Google as the Host”:
    In this example, we can see how attackers use Google APIs service for hosting phishing sites. 
The cover email along with spoofing the domain’s customer 

In the email above we can see how the attacker disguises himself as a Microsoft admin. This “innocent” email is actually a call for action, asking the targeted user to release emails, supposedly blocked by the email security system. However, this is a false email. Once the user clicks on the URL, the following phishing site is shown:

As you can see in the highlighted artifact in the picture, the attack is using the domain of Google APIs. Essentially, the attacker hosts the malicious URL on the Google APIs service. This technique creates a problem for most email security systems which tend to whitelist Google services, therefore, letting the attack to slip through.  

Another example of this technique is the use of the Google Sites service. In the example below, we can see a well-designed phishing site on which is using the “google.com” domain. This attack is again very hard to detect as both the hostname of the site is reputable and the quality of the phishing look-and-feel is very high.

  • Google is the “phisher”: In this case, the attacker turns Google into a phishing site. The attackers are now using Google Forms – a great tool to survey people and employees – to be actually a form for asking for user names and passwords. Again, since it is based on a legitimate concept, this attack can bypass the vast majority of email security vendors very easily. At this example, notice how the attacker creates a fake Office 365 log-in page in Google Forms and tricks the users to enter their credentials. The real interesting part is that Google is indeed aware of this threat and specifically mentions that users should “never submit passwords through Google Forms”. However, in real life, most people don’t notice this warning and are giving away their credentials to malicious actors.

Recommendations for CISOs

  1. Train your employees – Educate your employees on new types of phishing and provide them with tools to identify hoe attackers work.
  2. Adopt solutions with an automated update mechanism – Since attackers always evolve and improve, we need to use technological solutions that constantly update and improve. Perception Point combines its cloud structure to update and improve its algorithms at least once in a week. In addition, we use the Incident Response team to research attacks in the wild, even before reaching to our system.
  3. Dynamic scanning – Active scanning capabilities are key to preventing zero-day phishing attacks. Adopt solutions that can dynamically scan 100% of email traffic.