Google Drive once again exploited in a sophisticated phishing attack

Cybercriminals and states-sponsored hackers are leveraging Google Drive site and other cloud storage to operate in a stealthy way and avoid detection.

Cybercriminals and attackers are exploiting once again Google Drive infrastructure to avoid detection. The exploitation of Google Drive cloud storage by cyber criminals is not a novelty, a few days ago experts at TrendMicro detected uncovered a sophisticated phishing campaign that was organized to syphon sensitive data from victims.

This time, cyber criminals have published a modified version of the legitimate Google Drive login page to steal email credentials from victims. The researchers consider the attack an improved version of the cyber attacks discovered early this year.

As usual the attacks starts with a phishing email containing a link to a bogus Google Drive site that allows victims to log in using different email services, including Yahoo and Hotmail.

Once the used logged in is redirected to a legitimate site by the phishing site, the landing document is legitim and is used to deceive victims int thinking that no suspicious activities are going on despite nothing in the content of the email references the “document”.

Analyzing the code of the page, the experts discovered the presence of the Chrome save tag, which indicates that phishers behind the campaign have saved the source of the legitimate Google Drive login page and added malicious cod

“e. And since this site recycled code from Google Drive, all the checkers for proper entries are still in place. The phishing site will only accept email addresses in the proper format (e.g., <accountname>@<serviceprovider>.com). This is a marked difference from the earlier phishing pages, which accepted anything, even gibberish.” states a blog post published by TrendMicro.

When victims click on the “Sign In” button, its credentials and data on mail service choose are sent to a specific URL. The attack seems to be effective also on mobile devices.

The phishing website used by the threat actors is a Chinese sports forum, that was probably compromised by the attackers. The experts speculated that that cybercriminals are using the stolen data to hit other victims and that the malicious campaign have been going on for at least three months.

Despite the level of awareness on phishing the technique is still very effective has explained in the last APWG report, for this reason be careful when open emails, even those from friends, and avoid clicking links that are embedded in the content.

Rolling over the mouse on the link you can vision the real URL associated to the link and check if the domain name has any typo error or different names from the legitimate website.

Do not be fooled by the use of the HTTPS protocol because the practice of use the HTTPs phishing is rapidly increasing.

Pierluigi Paganini

Security Affairs – (Google Drive, cybercrime)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.