Cofense experts found a carefully planned phishing attack against an unnamed energy company. Cybercriminals used the legitimate Google Drive feature for targeted phishing to bypass security systems and lead employees to a malicious page.
The ultimate goal of the campaign was obtaining credentials of corporate users. Attackers posted a message on the Google cloud service allegedly from the head of the attacked organization.The text spoke about a certain business project, employees were invited to the discussion of it. For details, they were sent to the next page, where the phishing form was located.
“The link within the email body is also hard to defend against because it links to an actual Google Drive share. If the organization’s email body inspection tool does not examine past the first link, phishing countermeasures will mark the email as non-malicious, allowing the phish to avoid another security measure”, — wrote the Cofense researchers.
The criminals sent a link to the file through the “Share” function. This legitimate mechanism does not raise questions about mail filters, and anti-phishing systems cannot check the content to which such notifications lead. As a result, the campaign organizers easily reached the victims.
Reference: Google Drive is a file storage and synchronization service created by Google that enables its users to store files in the cloud and effortlessly synchronize them between devices and platforms.
How to resist phishing attack through Google Drive
Researchers note that such threats can still be stopped by automatic means. Advanced anti-phishing systems check the site that the user wants to go to, and if the domain is registered recently, they block the page.
In addition, attentive users themselves could suspect something was wrong. Although the criminals tried to arrange a phishing letter in the style of the target organization, the corporate logo and other elements turned out outdated. The return address of the false CEO also did not comply with the rules adopted by the company.
Read also: Spear phishing recognized as the fastest growing threat to businesses
Without specifying whether the criminals eventually managed to achieve their goal, experts conclude that such attacks show the importance of teaching users the basics of information security. Studies have shown that such courses increase the competencies of employees, and this knowledge does not disappear even after a year. However, employees of energy companies demonstrate worse absorption abilities than users from other industries.
Earlier this month, security experts spotted targeted attacks on American industry. Housing and utilities companies were hit by the LookBack RAT Trojan, which can take screenshots, track mouse movements, send commands to the computer and read system data.
