Phishing Scheme Uses Google Drive to Avoid Security: ReportEmails Disguised as Messages From CEO
A newly identified phishing campaign used Google Drive to help bypass some email security features as attackers attempted to target a company in the energy industry, security firm Cofense reported this week.
To better disguise this spear-phishing campaign, the attackers sent emails under the guise of the firm's CEO, which included the link to a Google Docs file as well as a fake login page, according to Cofense researchers.
The attackers used a tailored-made email that included the company logo, the CEO's name and a previously disseminated business message to make it appear even more authentic, according to the Cofense blog about the attack, which did not identify the company that was targeted.
And while the phishing emails were tailored to get employees to click so that credential-harvesting malware could be downloaded, it's the use of a Google Drive link that allowed the attackers to bypass the security features built into Microsoft Exchange because the link came from an authentic and recognized business service, according to the researchers.
It appears the target company's email body inspection tool did not examine the message past the first link, which then allowed the email to be marked as non-malicious and passed on to employees along with the payload, the researchers note.
"By using an authentic service, this phishing campaign was able to bypass the email security stack, in particular, Microsoft Exchange Online Protection, and make its way to the end user," says Aaron Riley, a Cofense researcher who examined the attack.
Bypassing Security Checks
Over the last several years, Google Drive has emerged as a popular means for attackers to disseminate mass phishing emails because of how difficult it is to block. This makes it easier for attackers to send malicious links within Google Drive, which fails to get detected by security filters, the Cofense researchers note.
And while the researchers recommend network content filtering appliances as a way to help thwart such attacks, the legitimacy granted to Google Drive as a business tool can still permit the phishing emails to pass through due to a failure of email content analysis.
"The legitimacy of Google Drive allows for these phishing campaigns to bypass an organization’s email security stack, namely due to the shortcomings of the email content filtering’s link analysis component," the researchers say.
In the case that Cofense uncovered involving the energy firm, the employees who accessed the Google Drive documents were redirected to an external link with a fake login page, enabling the threat actors to steal their credentials.
The fake landing page was created on August 1, the report notes.
Due to the outdated nature of the message of the phishing email and the nonrelevance of that message to some of the recipients, however, Cofense researchers found that attackers were not successful in targeting a large number of employees.
It's not clear who the attackers behind this particular campaign are, or why the decided to specifically target this company, the researchers note.
A Growing Threat
These types of spear-phishing or email account takeover attacks are on the rise, with cybercriminals using compromised accounts to laterally send emails across an enterprise or even to outside vendors who do business with the victim company, according to new research from Barracuda Networks.
In the Barracuda report, which surveyed 100 businesses, the researchers found that one in seven experienced these types of lateral phishing attacks within the last seven months.
"Because attackers control a legitimate account in an email account takeover attack, they could mine the hijacked account’s emails to craft custom and highly personalized messages," according to the Barracuda report.
Phishing attacks are being used against an array of targets, including those in the banking and credit card industry.
In July, Cofense disclosed a phishing campaign that used fake URLs to target American Express card users. The attackers sent a hyperlink as part of a phony account update to access the victims’ credentials and other account details (see: Phishing Scheme Targets Amex Cardholders).