Cyberattackers are using Google’s rebranded productivity apps suite to launch phishing campaigns.
Back in October, it was revealed that G-Suite tools like Gmail, Google Docs and Google Meet would be grouped under a new Google Workspace brand. Well, it hasn’t taken long for threat actors to abuse the service.
A new report published by security firm Armorblox claims that the free, open system provided by Google is providing plenty of opportunities for cybercriminals to defraud organizations, steal user credentials and install malware.
“The Armorblox threat research team has seen a sharp uptick in attackers using Google services to help them get emails past binary security filters based on keywords or URLs,” Arjun Sambamoorthy, the Cofounder and Head of Engineering at Armorblox, explained.
“(W)e will outline five targeted phishing campaigns that weaponize various Google services during their attack flow. These attacks are representative but in no way exhaustive – they are the tip of a deep iceberg. If successful, these email attacks using Google services could have potentially impacted tens of thousands of mailboxes within Armorblox customer environments alone.”
A phishing campaign at work
The five identified phishing campaigns included an American Express credential phishing campaign hosted on a Google form, a benefactor scam reconnaissance exploit, and the impersonation of a security administrator using Google’s Firebase mobile platform. A payroll scam involving Google Docs and a Microsoft Teams credential phishing campaign using Google Sites were also discovered.
The use of Google tools is becoming more widespread among threat actors as they give an air of credibility to their malicious communications. Google Docs, for example, is so prevalent in most people’s lives that it easily avoids suspicion. It also escapes most email security filters – certainly until a particular attack method has been identified.
Once a particular phishing campaign has achieved notoriety, security software will usually block the relevant emails. But a lot of the damage may have already been done by then. The best protection relies on individuals treating every email with caution, scanning them and, if there’s any doubt, leaving suspicious links well alone.