Scammers target Google Docs and Microsoft Sway to steal user credentials
Barracuda Networks, the trusted partner and leading provider for cloud-enabled security solutions, highlights the threat landscape in the month of May 2020. Barracuda researchers have identified a new type of brand impersonation attack that is disproportionately using Google-branded sites to trick victims into sharing login credentials. Of the nearly 100,000 form-based attacks detected between January 1 and April 30, 2020, Google file sharing and storage websites were used in 65 percent of attacks, making up 4 percent of all spear-phishing attacks in the first four months of 2020.
Amid the global pandemic, cybercriminals are evolving and a growing number of their campaigns are using the coronavirus as a lure to trick unfocused users by capitalising on their fear and uncertainty. In this type of brand impersonation attack, scammers leverage file, content-sharing, or other productivity sites like docs.google.com or sway.office.com to convince victims to hand over their credentials. They are performing credential theft in several ways.
The attackers are impersonating emails that appear to have been generated automatically by a legitimate file-sharing site such as OneDrive and takes their victim to a phishing site through a legitimate file-sharing site. Yet another tactic is creating an online form using legitimate services like forms.office.com. The forms resemble a login page of legitimate service, and the link to the form is then included in phishing emails to harvest credentials. These impersonation attacks are difficult to detect because they contain links pointing to legitimate websites that are often used by organizations.
Getting access to accounts without passwords is another attack variant where the original phishing email contains a link that looks like a usual login page. The link contains a request for an access token for an app. After login credentials are entered, the user is presented with a list of app permissions to accept. By accepting these permissions, the attacker can get to use the same login credentials to access the account. Even two-factor authentication cannot refrain the spammers to perform such phishing attacks as the malicious app gets approved by the user to access accounts.
In the recent form-based attacks reported by Barracuda researchers, attackers leveraged 25% storage.googleapis.com, 23% docs.google.com, 13% storage.cloud.google.com and 4% drive.google.com. In comparison, Microsoft brands were targeted in 13 percent of attacks: onedrive.live.com (6%), sway.office.com (4%), and forms.office.com (3%). The other sites used in impersonation attacks include sendgrid.net (10%), mailchimp.com (4%), and formcrafts.com (2%). All other sites made up 6 percent of form-based attacks.
Speaking on the threat highlight, Mr. Murali Urs, Country Manager, India of Barracuda Networks, commented, “As working from home becomes the new normal for many businesses and their employees amid multiple restrictions, there has been an exceptional spike in cybersecurity threats and an increase in a variety of phishing campaigns. The attacks are taking advantage of the heightened focus on COVID-19 to distribute malware, steal credentials, and scam users out of money. While phishing tactics are common in nature, this is a new kind of form-based attack that our researchers have been steadily detecting throughout the beginning of the year. They are expecting the numbers to increase going forward as cybercriminals are successfully able to harvest credentials with these attacks. It is now upon the businesses to establish solutions to stop the attackers from bypassing email getaways, spam filters and track suspicious IPs. Users too should be able to identify suspicious emails and report them to reduce the occurrence of such attacks.”
While such attacks cannot be eliminated easily, business organisations can establish strategies that use artificial intelligence to detect and block attacks, such as account takeover and domain impersonation. They must also have a solution in place that uses machine learning to analyse normal communication patterns within your organization, instead of relying solely on looking for malicious links or attachments. They must also facilitate multi-factor authentication and two-step verification for online accounts that can provide an additional layer of security beyond username and password, such as an authentication code, thumb print, or retinal scan. Organisations must track IPs that exhibit other suspicious behaviors, including failed logins and access from suspicious devices.
Meanwhile, the users should be educated about email attacks, including form-based attacks, as part of security-awareness training. Business enterprises can use phishing simulation to train users to identify cyberattacks, understand their fraudulent nature, and learn to report them