Attackers are using a new technique to exploit Google Docs for phishing attacks, according to researchers at Avanan. The attackers take advantage of the fact that Google Docs automatically renders HTML code, so a Google Doc can act as a landing page to direct the user to the real phishing page. The researchers describe one example in which the Doc appeared to be a file share page.
“This Google Docs page may look familiar to those who share Google Docs outside of their organization,” Avanan says. “This, however, isn’t that page. It’s a custom HTML page made to look like that familiar Google Docs share page. The attacker wants the victim to “Click here to download the document” and once the victim clicks on that link, they will be redirected to the actual malicious phishing website where their credentials will be stolen through another webpage made to look like the Google Login portal.”
The researchers describe another attack in which the Google Doc itself acted as a phishing page. This Doc appeared to be a DocuSign login page. The login form contained an embedded listener that would send the user’s password to the attacker.
The links are distributed via phishing emails. Since the emails only contain a link to a Google Doc and not a website, they’re more likely to evade detection by security filters. Avanan concludes that more attackers will likely adopt this technique in the future.
“Hackers are bypassing static link scanners by hosting their attacks in publicly known services,” the researchers write. “We have seen this in the past with small services like MailGun, FlipSnack, and Movable Ink but this is the first time we’re seeing it through a major service like Google Drive/Docs.”
Attackers are constantly evolving their tactics to slip past technical defenses. New-school security awareness training can help your employees thwart social engineering attacks.
Avanan has the story.