Google Drive once again exploited in a sophisticated phishing attack

Cybercriminals and states-sponsored hackers are leveraging Google Drive site and other cloud storage to operate in a stealthy way and avoid detection.

Cybercriminals and attackers are exploiting once again Google Drive infrastructure to avoid detection. The exploitation of Google Drive cloud storage by cyber criminals is not a novelty, a few days ago experts at TrendMicro detected uncovered a sophisticated  phishing campaign that was organized to syphon sensitive data from victims.

This time, cyber criminals have published a modified version of the legitimate Google Drive login page to steal email credentials from victims. The researchers consider the attack an improved version of the cyber attacks discovered early this year.

As usual the attacks starts with a phishing email containing a link to a bogus Google Drive site that allows victims to log in using different email services, including Yahoo and Hotmail.

Once the used logged in is redirected to a legitimate site by the phishing site, the landing document is legitim and is used to deceive victims int thinking that no suspicious activities are going on despite nothing in the content of the email references the “document”.

Analyzing the code of the page, the experts discovered the presence of the Chrome save tag, which indicates that phishers behind the campaign have saved the source of the legitimate Google Drive login page and added malicious cod

“e. And since this site recycled code from Google Drive, all the checkers for proper entries are still in place. The phishing site will only accept email addresses in the proper format (e.g., <accountname>@<serviceprovider>.com). This is a marked difference from the earlier phishing pages, which accepted anything, even gibberish.” states a blog post published by TrendMicro.

When victims click on the “Sign In” button, its credentials and data on mail service choose are sent to a specific URL. The attack seems to be effective also on mobile devices.

The phishing website used by the threat actors is a Chinese sports forum, that was probably compromised by the attackers. The experts speculated that that cybercriminals are using the stolen data to hit other victims and that the malicious campaign have been going on for at least three months.

Despite the level of awareness on phishing the technique is still very effective has explained in the last APWG report, for this reason be careful when open emails, even those from friends, and avoid clicking links that are embedded in the content.

Rolling over the mouse on the link you can vision the real URL associated to the link and check if the domain name has any typo error or different names from the legitimate website.

Do not be fooled by the use of the HTTPS protocol because the practice of use the HTTPs phishing is rapidly increasing.

Pierluigi Paganini

Security Affairs –  (Google Drive, cybercrime)