Free Google Services Abused in Phishing Campaigns

Several phishing campaigns have been identified that are using free Google services to bypass email security gateways and ensure malicious messages are delivered to inboxes.

Phishing emails often include hyperlinks that direct users to websites hosting phishing forms that harvest credentials. Email security gateways use a variety of methods to detect these malicious hyperlinks, including blacklists of known malicious websites, scoring of domains, and visiting the links to analyze the content on the destination website. If the links are determined to be suspicious or malicious, the emails are quarantined or rejected. However, by using links to legitimate Google services, phishers are managing to bypass these security measures and ensure their messages are delivered.

The use of Google services by phishers is nothing new; however, security researchers at Arborblox have identified an uptick in this activity that has coincided with increased adoption of remote working. The researchers identified 5 campaigns abusing free Google services such as Google Forms, Google Drive, Google Sites, and Google Docs.  It is not just Google services that are being abused, as campaigns have been detected that abuse other free cloud services such as Microsoft OneDrive, Dropbox, Webflow, SendGrid, and Amazon Simple Email Service.

One of the campaigns impersonated American Express, with the initial message requesting account validation as the user was found to have missed information when validating their card. The emails direct the user to a phishing page created using Google Forms. The form includes the official American Express logo and a short questionnaire requesting information that can be used by the attackers to gain access to their credit card account – login information, phone number, card number and security code, and security questions and answers.

Since the link in the email directs the user to Google Forms – a legitimate Google domain and service – it is unlikely that an email security gateway would identify the URL as malicious. “Google’s domain is inherently trustworthy and Google forms are used for several legitimate reasons, no email security filter would realistically block this link on day zero,” explained the Armorblox researchers.

Another campaign used Google Forms in a classic phishing lure. The emails appear to have been sent by a childless widow who has been diagnosed with terminal cancer. She is looking to donate her fortune to good causes, with the recipient of the message told that the widow would like them to make donations to good causes on her behalf. The hyperlink directs the user to an untitled Google Form. Should anyone proceed and submit an answer to the untitled question, they will be shortlisted for further extortion attempts.

A campaign was detected that used a fake email login page hosted on Google’s Firebase mobile platform, which is used to create apps, files, and images. The emails in this campaign impersonate the security team and claim important emails have not been delivered due to the email storage quota being exceeded. The campaign targets email login credentials. The link to the Firebase would be unlikely to be identified as malicious since it is a legitimate cloud storage repository.

Google Docs has also been abused in a campaign in which the payroll team is impersonated, with the Google Docs document containing a link to a phishing page where sensitive information is harvested. Since the initial link is to a legitimate and commonly used Google service, it is unlikely to be blocked by email security solutions. While some email solutions would be able to identify the malicious link in the Google-hosted document, various redirects are used to obfuscate the malicious link.

A campaign was also identified that impersonated the user’s IT department security team and Microsoft Teams, using a fake Microsoft login page hosted on Google Sites. Google Sites is a legitimate service that allows individuals to easily create webpages, but in this case has been used to create a webpage hosting a phishing form, complete with the genuine Microsoft logo.

Campaigns abusing trust in Google Docs have also been identified by researchers at Area 1 Security. The messages in that campaign impersonated the HR department and claimed the recipient had been terminated, with the Google Docs document providing details of the termination and severance pay. The document contains a malicious macro that, if allowed to run, will download the Bazar Backdoor and Buer loader malware. IRONSCALES also recently reported that around half of all sophisticated phishing campaigns were successfully bypassing the leading email security gateways.

The campaigns range from highly targeted attacks on specific groups of individuals, such as HR and payroll departments, to untargeted large-scale ‘spray and pray’ campaigns to obtain as many credentials as possible, using more general lures.

These campaigns highlight the need for advanced security solutions that are capable of identifying and blocking phishing emails that abuse legitimate cloud services and the need for ongoing security awareness training for employees to help them identify phishing emails that evade detection by their organization’s cybersecurity defenses.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.