Cyberattackers are now exploiting newly rebranded Google Workspace tools in various phishing campaigns. These include free productivity tools and services like Gmail, Google Meet, and Google Docs, which are being used to launch phishing campaigns that sneak into users' credentials or install malware.
Google offers these various free services and software and services allowing students, teachers, consumers, enterprises, and other users to create online forms, spreadsheets, and documents. Google accountholders also use these tools to conduct surveys, share documents, or even create free websites.
Armorblox: Cybercriminals now target Google Workspace tools and services
Security firm Armorblox published a new report claiming Google's open system provides numerous opportunities for cybercriminals to trick organizations and launch fraudulent activities like stealing data or installing malware, according to TechRadar. The company listed five phishing campaigns that use different Google services.
Armorblox Cofounder and Head of Engineering Arjun Sambamoorthy explained that their threat research team has seen a sharp increase in attackers ill-using Google services to help them get emails without being tracked by binary security filters using URLs or keywords. However, Sambamoorthy noted that these attacks are just "the tip of a deep iceberg," impacting tens of thousands of mailboxes under Armorblox's customer systems.
5 phishing campaigns exploiting Google services
Armorblox identified five phishing campaigns that use various Google free services. As Google tools such as Google Docs and Form are being used widely among authorities and legitimate businesses, so it is also becoming more popular among cybercriminals as they give a sense of credibility to phishing attacks.
1. Microsoft Teams Credential Phishing
The emails sent for this phishing campaign claimed to come from Microsoft IT team and asked users to review a file shared by colleagues over Microsoft Teams. Once they clicked the link, they will be brought to another page that resembles the Microsoft Teams and Office 365 login portal where their credentials will be copied. Google Sites host the Office 365 login portal.
2. Security Team Impersonation
By sending an email from the security administrator team of an organization advising readers that some vital emails are not received due to storage quota issue, readers would click the link included in the body to verify their data and resume delivery of emails. However, the link leads readers to a fake login page hosted on Google's mobile platform, Firebase, which prevents any security firewall to block the page's URL.
3. Payslip Scam
Cybercriminals imitating a company's payroll team send payslip details through an email, which leads readers to a link where they could confirm whether their personal information is accurate. The email link includes a time-bound request, which adds urgency so readers click without hesitation. This phishing campaign uses Google Docs.
4. Benefactor Scam Reconnaissance
In this scam, cyber attackers claim to be a childless widow who wants to share her money. Those who are interested may click the link or send a reply. The link only leads to a Google form with a question and an answer option. While many people will feel suspicious of the email, others will eventually submit the form or send a reply, allowing attackers to shortlist who they could send follow-up emails.
5. American Express Credential Phishing
Another email impersonates American Express Customer Care and giving out a link where readers could provide their information to validate their card. The link leads to page hosted on a Google form showing American Express branding, in which readers would enter their American Express card details, login credentials, and mother's maiden name, which is a common security question.
Since Google and its services are inherently trustworthy and used for legitimate reasons, security filters would not block the links used on these phishing campaigns. The best protection now falls on individuals who need to be cautious on all emails, particularly on the links included.
Related article: Npm Package Steals Sensitive Files Targeting Google Chrome, Brave, Opera, Yandex, Discord Messaging App
This is owned by Tech Times
Written by CJ Robles