Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Google Docs. Show all posts

Stay Vigilant: Google Docs Phishing Scams Spreading Rapidly

 


Phishing scam sophistication is increasing every day, making them more difficult to detect and avoid at the same time. A wide variety of file-sync and share platforms are now available for users, making scammers impute these services and try to infect your computer with fake documents or folders. 

The latest phishing attack has been discovered, aimed at Google Docs/Gmail users, and has spread like wildfire over the internet since this afternoon. A sophisticated and infuriatingly subtle phishing site enabled these people to gain full access to your Gmail with just a click or two. They forwarded all the phishing emails sent to the people you emailed to them. 

In a worrying new phishing scam highlighted by cybersecurity software company Check Point, an email spoofing scam bypasses its usual detection measures. This is to reach victims' inboxes without being detected by usual measures. This phishing scam is described by researchers as an evolution of BEC (business email compromise) 3.0, which refers to a method of gaining access to a target's mailbox by using legitimate sites for malicious purposes. 

It is extremely concerning that a scam with the potential to reach workers could be so successful, especially since many companies favor Google Workspace's office software. Google announced earlier this week that the company had taken steps to prevent impersonator emails. It disabled the accounts of those who sent impersonator emails. 

Legitimate push notifications and emails were sent from Google Drive due to an exploitable flaw. Gmail users were taken to a real Google-hosted page if they clicked the "Open in Docs" button in an email. They were asked if they were willing to allow a seemingly legitimate service, called "Google Docs," to access their email account information if they clicked on that button. 

Scammers access emails, contacts, and online documents when permission was given, after gaining access to the email account. To spread itself, the malware will send an email to everyone in the victim's contacts list so that everyone is infected.

An example of a phishing scam is when a fraudster creates emails, ads, or a website that appears to be a legitimate site. It asks for personal information such as a username, password, social security number, bank account data, or birthday. Google does not request This type of data through emails, and the company indicates that it never does. There is a message on the website encouraging users not to click on links and to report any suspicious emails they receive. 

An increasingly common method of gaining access to login credentials is to use phishing tactics to gain access to them. There are several ways in which users can access the information provided to them. One way is to click on a link and then provide their account details to do so. The problem with this process is that it gives access to the attacker to the user's credentials, allowing them to control the user's email accounts, access social networks like Facebook and other services. 

Forrester Research analyst, Fatemeh Khatibloo, says she has never seen such a widespread Google Docs scam as this one before. She is shocked to see it happening so widely. There is an excellent chance that Google will shut this down as soon as possible because of its resources. 

In recent weeks, a dangerous scam that may trick people into editing a Google Doc - the popular app that allows users to write and share documents - has been spreading rapidly across the internet. The "Open in Docs" button in the email will reroute users to the suspected Google sign-in page where they will be prompted to "continue in Docs", which is a fake sign-in page, asking to continue using Google Docs after clicking the "Open in Docs" button in the email. 

Upon clicking on the link, a user will grant access to the third-party app, which in turn may send spam to even more of the user's contacts if the third-party app gains access to their contacts and email addresses. A Google spokesperson has confirmed that the matter has been brought to Google's attention and that the company is currently investigating it. It is the company's recommendation to report these forms as phishing emails within Gmail since the company encourages users to report these forms as phishing messages. 

What are the signs of a legitimate Google email?


It is a dead giveaway when you see strange languages and nonsense website names, and newly registered domain names. Google Docs emails and notifications are sent to victims of the Google Docs email scam in Russian or broken English, which the scammers are targeting. Their task is to collaborate with nonsense-named people to complete the project. Several scam websites are listed within these emails. When you click on one of these links, you will be directed to one, just registered a few days earlier. Some of the many prizes and giveaways make it clickbait for the audience. 

There is a team at Google that is dedicated to addressing abuse issues with scam emails, as well as Google documents. When you want to report abuse about a particular document to Google, you can click the ‘Report abuse/copyright’ button from the menu under ‘Help,' Click 'More' next to 'Reply' to view a list of spam emails. Click 'Report phishing' to send a spam report to Google. 

What is the status of the Google Docs Phishing Email? 


Thousands of victims of the Google Docs email scam reported that the documents used in the scam had been removed from the Google Docs website. Assuming that the security flaw that allowed scammers to generate Google notifications has been fixed, users must stay vigilant when dealing with Google notifications. Scammers have been able to employ inventive ways to conceal their tracks within phishing emails in the days following the pandemic, and since most of us work from home, online scams have quadrupled since that time. 

Please do not open any file that does not come from Google, Gmail, or Dropbox. If you receive a file that does not come from one of these sites, it is phishing, so you should not open it. It is important to remain vigilant and cautious when dealing with ransomware, just as it is when dealing with malware in general.

Attackers Can Hide Malicious Apps Using the Ghost Token Flaw

 


The Google Cloud Platform (GCP) has recently been patched against a zero-day vulnerability called GhostToken, which allowed attackers to infect the platform to create an invisible and irrecoverable backdoor. A malicious attacker could exploit this flaw and gain access to a victim's account. 

By exploiting this flaw, he could also manipulate their data and documents within Gmail or Google Docs. As a result, the victim is completely unaware that this is taking place. By the name GhostToken, the issue has been identified by Israeli cybersecurity startup Astrix Security. The issue affects all Google accounts, including enterprise accounts. From June 19 through June 20, 2022, this issue was discovered and reported to Google. More than nine months after the global patch was released on April 7, 2023, the company deployed a global update. 

According to a recent post by Astrix Security, the GhostToken zero-day vulnerability could allow malicious apps to be installed in the target Google Cloud via the GhostToken zero-day vulnerability. 

The flaw allows attackers to hide their malicious apps from the victim's "Application Management" page in their Google Account to hide them from view by a user logged in to their Google Account. A user is unable to revoke access by doing this. This prevents them from doing so. By doing this, it is ensured that the GCP project associated with the OAuth application that they have been authorized to use remains in a state that says "pending deletion" by deleting it. A threat actor equipped with this capability could restore the project. After restoring it, the rogue app is visible again. As well as gaining access to the victim's data, he could make it invisible again by using the access token to obtain it himself. 

An adversary or attacker could exploit the GhostToken vulnerability to access sensitive information in the target account's Google Drive, Calendar, Photos, Google Docs, Google Maps (location data), and other Google Cloud Platform services provided by the target account. The technical team discovered the vulnerability in June 2022, reported it to Google, and asked them to fix it. Despite acknowledging this problem in August 2022, Google did not release a patch until April 2023. This is despite acknowledging the flaw in August 2022. 

The bug was patched before it was exploited by an active user, enabling Google to release the fix before it was exploited. In the users’ app management option, there is an option to show OAuth application tokens for apps scheduled for deletion as part of the patch. 

Despite the tech giant's fix, Google users must also check their accounts to determine whether there are any unrecognized apps. Additionally, to prevent any risk of damage to their devices, users should ensure that third-party apps have minimal access permissions.

A patch released by Google has been rolled out to address this issue, and it now displays apps in a pending deletion state within the third-party access section of the website. As a result, users can uninstall such apps by revoking their permissions.

There was a vulnerability in Google Cloud's Cloud Asset Inventory API that led to privilege escalation, known as Asset Key Thief, which has now been fixed. Using this vulnerability, users can steal private keys for use in Service Accounts, allowing them to access valuable data they manage. The software giant patched the issue discovered by SADA earlier this month, on March 14, 2023, two months after discovery.

Google Docs Comment Flaw Exploited by Hackers

 

A flaw has been deducted in the comment feature of Google Docs which is allowing cybercriminals to compromise users with phishing emails. 

A unit of cyber threats has reported that the hackers are using the “Comments” feature of Google Docs to send malicious links in a phishing campaign. Researchers also unveiled in their findings that the group primarily targeted Outlook users. 

Researchers from email collaboration and security firm Avanan, a CheckPoint company have discovered what they call “a new, massive wave of hackers’’ leveraging the comment feature in Google Docs during December 2021 to execute attacks, Avanan Cybersecurity Researcher/Analyst Jeremy Fuchs mentioned in a report that has been published on Thursday. 

The team said that the hackers mentioned the target with an @ in the comment box of the users and by doing so an email was automatically sent to that person's inbox. The email includes malicious links and texts. Furthermore, researchers said that the email address of the commenter was not shown, just the name of the attacker. 

The attackers who have already hit more than 500 users across 30 different locations, employing more than 100 different Gmail accounts, are difficult to be caught as of now, according to the researchers at Avanan.

"In this attack, hackers are adding a comment to a Google Doc. The comment mentions the target with an @. By doing so, an email is automatically sent to that person’s inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators," reinstates Jeremy Fuchs, cybersecurity researcher/analyst at Avanan.

Following the incident, Jeremy Fuchs shared an example in which he explained the whole incident, "let’s say the intended target has a work address of vic.tim@company.com. The end-user will have no idea whether the comment came from bad.actor@gmail.com or bad.actor@company.com. It will just say 'Bad Actor' mentioned you in a comment in the following document," Fuchs says. "If Bad Actor is a colleague, it will appear trusted. Further, the email contains the full comment, along with links and text."