Phishing scams are as old as the internet—tricking victims into divulging important information about themselves and their accounts. These scams are so common that all of the major email providers have built-in anti-phishing features. Improved email security has forced hackers to get creative when it comes to getting their malicious links to hit the inbox.
However, crafty scammers are now spear phishing with Google Drive’s sharing features to send emails with links to infected documents to their targets. These email notifications include a note and a link asking the victim to click the included link to sign in to their Google account to collaborate on a project or fill out official HR forms.
Much like typical spear-phishing campaigns, Google Drive attackers will create a fake email address to impersonate an individual or department that the target will recognize. But instead of using a low reputation sending domain that’ll trigger SPAM filters, they’re using Google’s own infrastructure. As a result, the victim’s mail provider has a much harder time differentiating these emails from legitimate ones sent by trusted sources.
These attacks are targeting individuals and enterprises alike. According to Wired, there have been instances of a single document from a Russian source being copied and edited multiple times in an attempt to lure new victims with each iteration.
Let’s go on a Phishing trip
For the purpose of this spear phishing with Google Drive walkthrough, we will be posing as (fake) Varonis executive Mike T. Kettle to ask an unsuspecting Varonis employee to sign into their employee account to help him with an important project.
When sharing these fake documents, the first step the imposter takes will usually be unchecking the box that sends an email notification.
The reason for this step is if they notify their target via email, the “from” address in the notification message may tip them off to the ruse. Below you can see an obviously fake email attached to the notification, that would be obvious to any user that it is fake, regardless of it being sent from a generic Gmail account.
However, more crafty spear-phishers might make their address MikeTKettle@gmail.com (if available) and leave their notifications on, tricking some less savvy users into clicking on the document coming from a familiar name without thinking twice about it being sent from a generic domain rather than an official company domain.
Since the scammers disable the email notification, they will have to leave their hook in the water for a while, as they are banking on users stumbling upon the document the next time they are browsing their Google Drive.
In our example, you can see the fraudulent document has appeared directly in the unsuspecting victim’s “My Drive” and only presents the sender’s name. The suspicious email address is nowhere in sight.
Once users open the shared document, they are presented with a large tempting blue link claiming to take our Varonis user to an important document from Mike himself, and it will reroute users to an external site or document.
For this example, “Mike’s” link will take users that click on it to a very convincing spoofed Varonis landing page, asking for login credentials to gain access to the shared document.
Once users click login, the attackers will now have their credentials saved, and the button will then spit them back out to the Varonis homepage (or any page the hacker linked to the login button). Now our victim’s account has been compromised, and are left confused about why they weren’t taken to the important document that Mike needed help editing.
Many off-the-shelf tools, such as Evilginx, help you craft amazing-looking phishing pages… for running phishing simulations, of course.
In real-world examples of this scam, the links included in these forms can take users to a number of different locations depending on the scammers’ end-goal. Users might see a similarly well-crafted fake landing page asking for credentials to log into a familiar service, while others might be directed to a Google form requesting users to fill in a survey, attempting to get users to divulge sensitive details like answers to common security questions.
How to Mitigate Google Drive Phishing Risk
Currently, defending against this scam can be challenging. Google is doing their best to combat this technique, but unlike in Gmail, they have yet to be able to implement a SPAM filter directly into Google Drive to catch these documents. Hence, the burden of defense falls on the targeted individuals and organizations.
As with all phishing scams, traditional or otherwise, the first line of defense is education. Educating your organization on the signs of spear phishing with Google Drive sharing is imperative to protecting users and their sensitive information. Users should know to not click on any suspicious links or enter any personal information that doesn’t come from your organization’s official lines of contact.
Organizations can also take a proactive approach against these scammers by implementing tighter control over which types of external vendors and users can email and share documents to internal users. Filtering your external vendor list down to only trusted vendors will help stop these documents from showing up in users’ Drive folders.
Security teams can set up “allow-lists” in Google that set permissions to only allow specific external contacts to share files and documents with users on your network. But setting up comprehensive allow-lists can be an arduous process that proves challenging to maintain for most. They can adversely affect your business if legitimate external vendors not on your list are trying to contact you only to be filtered out.
Taking these steps to protect your organization is vital to security, but they can only go so far. Implementing third-party threat detection and response software to help secure your environment from threats and monitor their users’ Google Drive accounts can be highly effective when it comes to defending against phishing scams.
Solutions like Polyrize and Varonis can help alert on suspicious activity both on-premises and in the cloud, flagging suspicious documents and email addresses being shared, and notify security teams to take action if anything has been compromised. Suppose a user does, unfortunately, fall for one of these scams and enters their credentials or sensitive information. In that case, Varonis can monitor for unusual behavior on your network and automatically flag this suspicious activity, shutting down user sessions and changing passwords to help mitigate any potential damage done by an attacker.
To learn more about how these attacks carried out in real-time, register for one of our Attack-Lab simulations to see our experts walk through through common cyberattacks and discuss how to properly defend against these malicious entities.