Pierluigi Paganini
July 29, 2015
Once again phishers exploited Google’s reputation running a phishing campaign aimed to steal user Google credentials and access to the multitude services offered by the company.
The new phishing campaign was discovered by the security researcher Aditya K. Sood from Elastica Cloud Threat Labs. Also in this case phishers used phishing pages hosted on Google Drive that appear similar a Google log-in page and which was served over HTTPs. The use of HTTPS makes the web pages more realistic and less suspicious to victims.
This campaign has many similarities with a campaign discovered by experts at Symantec in March 2014, the malicious emails sent by the scammers presents the same subject “Document,” and the stolen credentials are hosted on a third-party server.
“Elastica Cloud Threat Labs recently discovered a new Google Drive phishing campaign in which an attacker deployed phishing web pages on Google Drive. This is not the first time Google Drive has been used for phishing purposes. Last year, the security community encountered a similar type of Google Drive phishing attack.” states the blog post published by Elastica Cloud Threat Labs.
The new campaign appeared to the experts as the evolution of the previous one, because the improved obfuscation techniques used to hide the phishing pages. The phishers used a JavaScript encoding mechanism to obfuscate the code in the phishing pages. The attack scheme is quite simple, victims receive the bogus email from a Gmail addresses that’s likely been compromised, they’re requested to click on the embedded link pointing to a page hosted in a Google Drive folder. The phishing page looks like a Google log-in form, then if the user enters his credentials they are transferred in clear to a remote compromised web server while the user is redirected to a PDF document hosted on another server in order to avoid raising suspicion .
The destination URL where the victim’s credentials are sent is hxxp://alarabia[.]my/images/Fresh/performact[.]php.
“In this phishing campaign, we found some stealthy techniques used by the attacker to protect the phishing web page code. The attacker deployed a JavaScript encoding mechanism to obfuscate the code in the web pages so that they could not be read easily. Using Google Drive for hosting phishing web pages provides an attacker with the ability to exploit the established trust users have with Google. For example, in this campaign, the attacker used Gmail to distribute emails containing links to unauthorized web pages hosted on Google Drive.” states the post.
The phishers were mainly interested in siphon Google credentials of their victims as explained in the post.
“In an effort to maximize benefits, attackers targeted Google users specifically so as to gain access to the multitude of services associated with those accounts, since Google uses Single Sign On (SSO) procedures,” continues the post.
The experts noticed that phishing emails are able to avoid Google’s built-in detection capabilities, likely because they’re sent from a Gmail account and the embedded link points to a legitimate googledrive.com domain.
“When you open ‘drive.google.com,’ Google redirects the browser to ‘accounts.google.com’ which carries the message, ‘One Account. All of Google,’ whereas this web page highlights the message ‘Google Drive. One Storage,’ which is not legitimate,” Sood said. “However, users targeted in this campaign might not notice this.” explained Aditya K Sood from Elastica Cloud Threat Labs.
(Security Affairs – Google Drive, phishing)
