Google Docs, Google Slide and Google Looker Studio users, beware of this wave of phishing

Hackers have managed to use several Google tools, including Docs and Slide, to carry out advanced phishing attempts. Check Point alerted the American giant.

Today, millions of people use products from the Google Looker family, formerly Data Studio. The tool, which allows you to create free reports based on data from multiple sources (from Sheets to YouTube via Docs, Slide, Analytics, Ads, MySQL and others), is unfortunately increasingly used to launch sophisticated phishing campaigns. How do hackers do it?

A well-honed process for stealing your credentials

Over the past few weeks, cyber teams at Check Point Software Technologies have identified more than a hundred attacks involving Google Looker Studio, Google Docs (already the victim of various phishing campaigns) and Google Slide. The tool that converts your slideshows, spreadsheets and more into visualized data (diagrams, graphs) is used by hackers, to create fake cryptographic pages to steal money, as well as credentials.

For cybercriminals, this is another way to use legitimate services for what experts call “BEC 3.0 attacks”. Jeremy Fuchs, computer security researcher at Check Point, sums it up well. ” Cybercriminals take advantage of Google’s commercial tools to steal login credentials and crypto accounts. Recently, we’ve seen a dramatic increase in the use of Google Looker Studio for phishing scams. This phenomenon is concerning because it is difficult to detect, both for security services and for end users. “.

The process takes place in 4 steps:

1. First, the cybercriminal creates a Google Looker Studio page.
2. Then it uses Google to send an actual notification to the targeted person. Here it asks him to review or comment on the document. And since the notification sent is from the legitimate Google account, it is not detected by security filters.
3. Then the victim clicks to consult the page, which, remember, seems legitimate to him.
4. Finally, the Google Looker page, which contains a link, redirects the victim to an external page designed to steal their login credentials, as well as crypto-related information.

Fake, legitimate-looking crypto pages created to trick you

Check Point shows us here the example of an attack that starts with an e-mail coming from Google directly, from Google Looker Studio more particularly. The hackers managed to create a report from the tool, and the email contains a link to it, promising generous payouts and a good return to potential victims.

Once the user has clicked on the link, this time he is redirected to a site that is immediately “less Google”, but it is nevertheless a perfectly legitimate Looker page. Here cybercriminals have hosted a slideshow explaining how it is possible to claim more Bitcoins. We then access a login page designed to steal credentials, and voila.

CheckPoint researchers contacted Google teams on August 22 to try to block the attempts. And if you cannot find these fraudulent campaigns with the naked eye, it may be a good idea to equip yourself with a robust URL protection system or to adopt a technology based on an AI capable of analyzing and identify indicators of phishing, to counter complex attacks.