Phishing Attacks Evade Security With Google Services, Social Engineering

November 23, 2020 - Two new phishing campaigns have been spotted in the wild using legitimate Google services and social engineering in an effort to appear as legitimate emails and are capable of bypassing security measures, according to reports from Microsoft and Armorblox.

For the first campaign, Microsoft took to Twitter to warn Office 365 users that hackers were targeting enterprises in an attempt to steal user credentials. The attacks leverage social engineering attempts and a range of sophisticated means to evade detection.

The phishing emails use timely lures to impress urgency and are tied to remote work, password updates, conference call information, helpdesk tickets, and other pressing matters.

In one example, the malicious email warns the user that their password is expiring today and is marked for deletion if the user does not reconfirm. Another tactic referenced a scheduled meeting that urges the user to review the attached agenda prior to the call.

The hackers are also using redirector sites with a unique subdomain tailored to each targeted user. Microsoft explained the subdomain follows different formats but the recipients’ username and the domain name of their enterprise is nearly always used.

“This unique subdomain is added to a set of base domains, typically compromised sites,” Microsoft explained. “Notably, the phishing URLs have an extra dot after the top-level domain, followed by the Base64-encoded email address of the recipient.”

“The use of custom subdomains helps increase the believability of the lure,” they added. “In addition, the campaign uses patterns in sender display names consistent with the social engineering lure: ‘Password Update’, ‘Exchange proteccion’, ‘Helpdesk’, ‘SharePoint’, and or ‘Projects_communications’.

Further, the use of unique subdomains also generated huge volumes of phishing URLs, in an apparent attempt to evade detection.

The redirector URLs are able to detect connections from sandbox environments, which adds to the campaign’s evasion techniques. If the redirector detects an expired URL or that it’s been accessed from a sandbox environment, the user is redirected to a legitimate site “such that it can evade automated analysis and only actual users reach the phishing site.”

The malicious emails also employ heavy obfuscation techniques in its HTML code, which Microsoft stressed marks the campaign’s sophistication.

Phishing Attacks Employ Google Services

Armorblox detected another sophisticated phishing tactic, with a rapid increase in the number of attackers using legitimate Google services to evade security filters based on URLs or keywords and employed by more than five large campaigns.

Google employs open APIs, extensible integrations, and developer-friendly tools to simplify its services and improve workflows. But researchers found that the open and democratized nature of the platform is being exploited by threat actors to defraud users and organizations.

These campaigns rely on impersonation, link redirections, and social engineering to trick users into interacting with the malicious emails.

Five targeted phishing campaigns are actively “weaponizing” a range of Google services during the attack flow, according to Armorblox. But researchers noted there are likely many more leveraging these tactics.

“Hosting the phishing page on a Google form helps the initial email evade any security filters that block known bad links or domains,” researchers explained. “Since Google’s domain is inherently trustworthy and Google forms are used for several legitimate reasons, no email security filter would realistically block this link on day zero.”

“They are the tip of a deep iceberg,” they added. “If successful, these email attacks using Google services could have potentially impacted tens of thousands of mailboxes within Armorblox customer environments alone.”

Two of these attacks leverage legitimate Google forms, one impersonating American Express Customer Care and the other impersonates a benefactor.

For the American Express campaign, the phishing email informs users they’ve forgotten some required information when validating their card and contains a link redirecting users to validate their card.

The site is hosted on a legitimate Google form and branded with American Express logos, asking users to confirm credentials, card details, and mothers’ maiden names, a common security question.

Meanwhile, the benefactor impersonation attempts ask users to click a link in the email or to send a reply to the address provided in the phishing email, if they’re interested in the inheritance. The malicious link leads to a seemingly innocuous Google form with an untitled question and just one answer option.

“At first glance, it seems the attackers have been lazy or negligent, but this is a common reconnaissance technique employed at the start of targeted email attacks,” researchers explained. “Many people will feel the email is suspicious after going through the content and visiting this dummy form.”

“But some people will submit the only option allowed by the form, or they will send a reply to the address provided in the email,” they continued. “This allows attackers to shortlist the most naive and emotionally susceptible email recipients, who will be prime targets for follow-up emails from the childless widow.”

Hackers are also employing Firebase, Google’s mobile platform that allows users to create apps, host files, and hosts user-generated content. In this attack, the phishing lure impersonates the organization’s security team to inform users some vital emails have not been delivered due to a storage quota issue.

The malicious message includes a link, asking the user to verify their information to resume email delivery. Instead, users are directed to a fake login page hosted by Firebasem, which mimics quick-fill techniques employed by forms and used by legitimate websites, providing users with a false sense of security. And given the site’s inherent legitimacy, the URL won’t be blocked by common email security tools.

Another avenue used in these attacks are phishing emails purportedly sent from one employee to another. These emails contain links that direct users to a Google Doc, claiming to contain payslip information sent from the payroll team.

The email title and body use the targeted user’s name to increase legitimacy, while the redirections obfuscate link detection technologies from identifying the URL as malicious.

Lastly, hackers are also impersonating Microsoft Teams in emails claiming to come from the company’s IT team. The emails ask the user to review secure messages sent from colleagues over Microsoft Teams.

“Clicking the link took the targets to a page resembling Microsoft Teams, which further redirected to the credential phishing site resembling the Office 365 login portal,” researchers explained.

“The Office 365 login portal was hosted on Google Sites, a wiki and web page creation tool that lowers the skill bar needed to create websites,” they added. “The malice of the page’s intent was hidden behind the legitimacy of the page’s domain. This page would pass most eye tests during busy mornings (which is when the email was sent out), with people happily assuming it to be a legitimate Microsoft page.”

The reports come on the heels of an IRONSCALES report that found more than half of advanced phishing attacks evade leading secure email gateways. As such, healthcare providers should review spear-phishing guidance from Europol to better understand mitigation techniques, while providing employees with further security training to prevent falling victim.