Of the nearly 100,000 form-based attacks detected between January 1 and April 30, Google Docs were used in 65% of attacks, making up 4% of all spear-phishing attacks in the first four months of 2020.

Hackers target Google Docs and Microsoft Sway to steal user credentials
Atom Cyber Crime Saturday, May 30, 2020 - 11:32

Cybersecurity researchers on Friday said they have identified a new type of impersonation attack that is using Google file sharing and storage websites like Google Docs to trick victims into sharing login credentials.

Of the nearly 100,000 form-based attacks detected between January 1 and April 30, Google Docs were used in 65% of attacks, making up 4% of all spear-phishing attacks in the first four months of 2020, said Barracuda Networks, a leading provider of cloud-enabled security and data protection solutions.

Amid the global pandemic, cybercriminals are increasingly using coronavirus as a lure to trick unfocused users by capitalising on their fear and uncertainty.

In this type of brand impersonation attack, scammers leverage file, content-sharing, or other productivity sites like docs.google.com or sway.office.com to convince victims to hand over their credentials.

"The hackers are taking advantage of the heightened focus on COVID-19 to distribute malware, steal credentials, and scam users out of money. While phishing tactics are common in nature, this is a new kind of form-based attack that our researchers have been steadily detecting throughout the beginning of the year," said Murali Urs, Country Manager, India of Barracuda Networks.

The attackers are impersonating emails that appear to have been generated automatically by a legitimate file-sharing site such as OneDrive and takes their victim to a phishing site through a legitimate file-sharing site.

Another tactic is creating an online form using legitimate services like forms.office.com.

The forms resemble a login page of legitimate service, and the link to the form is then included in phishing emails to harvest credentials.

These impersonation attacks are difficult to detect because they contain links pointing to legitimate websites that are often used by organizations, said researchers.

In the recent form-based attacks, attackers leveraged 25% storage.googleapis.com, 23% docs.google.com, 13% storage.cloud.google.com and 4% drive.google.com.

In comparison, Microsoft brands were targeted in 13 percent of attacks: onedrive.live.com (6%), sway.office.com (4%), and forms.office.com (3%).

The other sites used in impersonation attacks include sendgrid.net (10%), mailchimp.com (4%), and formcrafts.com (2%). All other sites made up six percent of form-based attacks.

"It is now upon the businesses to establish solutions to stop the attackers from bypassing email getaways, spam filters and track suspicious IPs. Users too should be able to identify suspicious emails and report them to reduce the occurrence of such attacks," suggested Urs.

Show us some love! Support our journalism by becoming a TNM Member - Click here.