Posted on November 21, 2020 at 6:20 PM
A new report reveals that cybercriminals are using Google Workspace in several phishing campaigns. The hackers are utilizing Google’s productivity apps to carry out phishing attacks on their targets.
Last month, Google announced that G-Suite tools such as Google Meet, Google Docs, and Gmail will be placed under a novel Google Workspace brand.
Barely a few weeks after that grouping was done. Threat actors have already started attacking and abusing the new feature.
Threat actors are installing malware to steal user credential
Cybersecurity company Armoblox published a new report about the newfound attacking service exploited by hackers.
According to the report, cybercriminals are exploiting the open system Google provided as they have seen opportunities to install malware, steal user credentials, and defraud organizations.
Co-founder and Head of Engineering at Armorblox Arjun Sambamoorthy explained that the research team has discovered that hackers are using Google services to scale through binary security filters and get emails past them based on URLs or keywords.
According to the security researchers, the attackers are utilizing different targeting phishing campaigns that weaponize different various Google services when they attack.
The cybercriminals are part of a larger group of hackers who want to extensively explore the new window of opportunity created by the new Google service grouping, Arjun said.
A successful attack could endanger hundreds of thousands of mailboxes
When they launch the attack and it becomes successful, there is the possibility of the email attacks disrupting tens of thousands of mailboxes in a single company’s customer environment.
That means the successful and exhaustive exploitation of the Google service could impact hundreds of thousands of mailboxes, which can be used for future attacks.
Five phishing campaigns discovered
The researchers identified five phishing campaigns the hackers are using to exploit Google services. They include;
- Microsoft Team credential phishing that uses Google sites
- A payroll scam utilizing Google Docs
- Hackers impersonating a security administrator with Google’s Firebase platform
- A benefactor scam reconnaissance exploit
- Credential phishing campaign hosted on the Google form using American Express
Lately, there has been widespread use of Google tools by cybercriminals, since these tools make their communications with target audience look genuine. For instance, Google Docs is massively adopted and used that it easily avoids any suspicion.
And the fact that it is not screened out on most email security filters makes it commonly used by attackers. The only time more scrutiny is given to Google Docs is when an attack pattern using the Docs has been detected, as is the case after the discovery by the Armoblox security researchers.
Users warned to be wary of Docs files
After security researchers discover a particular phishing campaign, security software is usually updated to block the relevant emails. But before that update is carried out, the hackers would have already caused a lot of damage.
That is why security researchers always advise users to be wary of the type of email they open. Individuals should treat every email with caution, and try scanning them before opening.
If they are having any doubts about the email, they should not click on any suspicious links because it’s also one of the ways hackers can get malware planted in their system, the security researchers have warned.
Security researchers have also advised users to be careful when opening Docs file because of the high level of risks associated with such files.
That is why they should have security software on their systems that can detect and delete any suspicious files. That is the best way for users to protect their systems from phishing attacks, according to Armoblox researchers.