Scammers still using Google Drive for Phishing attacks

Researchers at Symantec have discovered another Phishing campaign using Google Drive, one that mirrors a similar attack form two months ago.

The technical aspects are so familiar, that Symantec’s team suspects the same group is behind this latest incident – or at the very least, the criminals are using the same Phishing kit.

This most recent attack uses the Google Drive service itself, which hinders traditional anti-Phishing measures usually associated with user awareness training. When the victim is finally presented with the malicious page, it’s delivered via SSL and uses the Google Drive domain, killing any hope that passive visual inspections of the URL will help raise red flags.

What the victim sees when they access the page, is a near-perfect mirror. The screenshot below is an example, provided by Symantec.

“Most phishing mitigation focuses on visually inspecting the URL to make sure the connection is secure. And this is good advice, but this does not help prevent against this specific attack. As in the past, the attacker’s phishing message uses the simple subject of ‘Documents’ and contains a URL pointing to a phishing page hosted on the Google Drive file storage and synchronization service,” Symantec’s Nick Johnston explains in a blog post.

However, there is one item that stands out in this scam, and it’s located in the language bar presented at the bottom of the fake Google log-in screen. When examined, it’s clear that the language selection bar is corrupted, which could be a problem with the Phishing script itself.

Again, aside from this one glitch, the rest of the page is a near-perfect mirror of Google’s own authentication portal. The problem is, most users are unlikely to notice the flawed language selection, or they’ll simply assume it is a bug.

Once the credentials are submitted, the script will redirect the victim to a document hosted on Google Drive.

Symantec says this latest scam poses significant risk, as smartphones are often sold with premium Google Drive accounts pre-installed, which means that more and more users are being hooked into the service.

This is in addition to the millions of Google users, each of whom have Google Drive enabled. If a person falls for this scheme, then all of their Google services have been compromised.

Thus, aside from the normal awareness training and protections, it’s wise to take advantage of Google’s account protections, including two-factor authentication.

In addition to Phishing, Symantec says this scheme is being used to deliver malware as well:

“Static HTML pages on Google Drive are also being used to redirect to malware. In these cases, a very small HTML file (under 100 bytes) uses JavaScript to redirect victims to a shortened URL (using SSL, perhaps to give a false sense of security). The shortened URL finally redirects to a compromised Brazilian website hosting a Trojan.”

Earlier this month, Salted Hash reported on an uptick in Phishing attacks that seek multiple sets of credentials, including websites that allow the victim to select between Yahoo, AOL, Windows Live, Gmail, or any other account.

This is in addition to the attacks on shared hosting providers, and the Phishing attacks that are initiated via residential networks.