Hackers exploit Google Docs in new phishing campaign


Attackers take advantage of Google Docs’ commenting function to send emails containing malicious links, Avanan explains.

Image: Graf Vishenka, Getty Images / iStockPhotos

One of the favorite tactics of cybercriminals is to exploit legitimate products for illegitimate ends. And the more popular the product, the greater the chances of success. A new report released Thursday by email security provider Avanan examines a new phishing campaign that abuses a popular feature in Google Docs to deploy malicious emails.

SEE: Social Engineering: Checklist for Professionals (Free PDF) (TechRepublic)

To help people collaborate on the same documents, Google Docs offers a commenting feature. When adding a comment to a document, you can include the email address of a person to whom you want to assign a related task. This action then triggers an email to the affected person.

In this particularly sneaky campaign, attackers add a comment to a Google document and then mention the target by typing the @ symbol followed by an email address. The full comment, however, includes a malicious link that will trigger malware infection if activated through the email sent.

Discovered by Avanan in December 2021, the attacks primarily affected Microsoft Outlook users but also affected recipients on other messaging platforms. So far, over 500 inboxes have been targeted in 30 different organizations, with hackers using over 100 different Gmail accounts.

This type of phishing campaign can squeeze past traditional security defenses and scrutiny for a few key reasons.

First, the email itself is from a legitimate Google service, so it’s likely to escape detection and be trusted by users at first glance.

Second, the email only contains the attacker’s display name and not their email address, which means spam filters may not catch them. And because the hacker can spoof the name of a trusted colleague or contact, the recipient could more easily fall into the scam’s trap.

Third, the victim doesn’t even need to access the document because the malicious payload is contained only in the email. The attacker doesn’t even have to share the document, as just mentioning the recipient’s email address in the comment will do the trick.

Avanan said he notified Google of the exploit on January 3 via the Report Email Phishing button in Gmail. However, users should always be on the lookout for this attack. To help people protect themselves from this scam, Avanan offers the following tips:

  1. Before clicking on a Google Docs comment in an email, cross-reference the email address in the comment itself to make sure it’s legitimate.
  2. Keep in mind common cyber hygiene habits, such as scrutinizing links and checking for grammatical errors.
  3. If you’re suspicious of a particular Google Docs comment email, contact the actual sender to see if they sent you the comment.
  4. Make sure that you and your organization are using strong security protection, especially for file sharing and collaboration services.

Also look

Source link


About Author

Comments are closed.