Research by cybersecurity firm Avanan has shown that hackers are increasingly using Google Docs functionality to pass malicious content through spam filters and security tools.
Comments feature used to infiltrate Outlook
In a blog post, Jeremy Fuchs of Avanan indicates that in December, attackers used the Comments feature in Google Docs and Google Slides to carry out attacks against Outlook users.
“In this attack, the hackers add a comment to a Google Doc. The comment mentions the target with an @. In doing so, an email is automatically sent to that person’s inbox. In this email, which is from Google, the full comment, including malicious links and text, is included. In addition, the email address is not displayed, only the name of the attacker is indicated, which makes the situation conducive to identity theft, ”he describes.
This technique has been used by cybercriminals for a long time, and Google even released fixes for this issue in October. But Avanan includes images showing researchers continuing to exploit the vulnerability on Google Docs and Google Slides using a malicious link added to a comment.
“We saw that it was aimed primarily at Outlook users, but not exclusively. It reached more than 500 inboxes in 30 companies, the hackers using more than 100 different Gmail accounts ”, adds the researcher, noting that the passage by Google Docs makes difficult the stop of the attack by the systems of filtering, because the email comes directly from Google.
Image: Avanan
Undetectable spam
Google is on most allow lists, says Jeremy Fuchs, and most people trust emails from Google. Anti-spam functions are also powerless against this attack, as the email does not use the hacker’s email address, only their display name. No one can tell if the comment is from someone inside their company or from outside.
“Plus, the email contains the full comment, along with links and text. The victim never needs to view the document, as the payload is in the email itself. Finally, the attacker doesn’t even have to share the document: just mention the person in the comment, ”he adds.
“This attack was not detected by ATP either. Avanan informed Google of the flaw on January 3, via the “Report Phish through email” button in Gmail. “
Pay extra attention to links sent by email
The company notes that last year it reported another Google Docs exploit that also allowed hackers to easily distribute malicious phishing websites to end users.
Avanan suggests that users double check before clicking on any links in a Google Doc comment sent to them.
A number of cybersecurity experts point out that this type of attack has been used by cyber attackers for many years because of its success.
Shawn Smith, director of infrastructure at nVisium, notes that the attack is not much different from other phishing methods. “Users should always be wary of links in emails, even those from legitimate senders, as they risk compromising their account. It seems to me that this is less of an “exploit” in itself than a lack of spam prevention, “he said. “In addition to checking the links, users should also hover over them before clicking, to confirm that the hyperlink sends them where they expect it to – and not to a completely different site than the one the link indicates. “
Source: ZDNet.com