Cloud

7/28/2015
08:00 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

New Phishing Campaign Leverages Google Drive

Researchers believe technique is geared to take over Google SSO accounts.

For the second time in two years, security researchers have uncovered ongoing phishing attacks that leverage Google Drive, with this latest attack building on previous techniques by adding advanced code obfuscation.

Discovered by Aditya K Sood, architect of Elastica Cloud Threat Labs, and his research team, the new attack again uses phishing web pages hosted on Google Drive to lend them an air of credibility in order to fool even security trained users. As Sood explains, this exploits "the established trust users have with Google."

"In this phishing campaign, the attacker used Gmail to distribute emails containing links to unauthorized web pages hosted on Google Drive," he says. "The attacker actually abuses that Google Drive functionality. He's not conducting a man in the middle attack, he's not disrupting the network channel, he's simply abusing how the Google Drive publishing functionality works and then exploiting that for his own nefarious purposes."

Where this attack veers off the previous script is that it uses JavaScript code obfuscation to evade detection and a separate third-party domain to store stolen credentials. By using Google Drive, attackers are already making it difficult for security solutions to detect the attack using IP address-based blacklisting. The code obfuscation further mucks up the security detection process by hiding the HTML source code and taking in-line scanning off the table.

"The HTML source code is not directly available," Sood says. "So any security solution looking into different features out of the HTML page are not going to work in this scenario," he says.

According to Sood, it appears the ultimate target was to target Google users due to Google's use of single sign on and the potential for gaining access to multiple services through a single credential.

"The basic idea behind this attack is the attacker wants to go after the Google SSO  login accounts because it is used for multiple services and once you get a hold of it you  can access all those services configured for a specific user account," he says.

This new attack method shows that attackers are figuring out how to take advantage of the trust inherent in our relations with SaaS services. While employees are generally trained to look for strange language or attachments indicative of email phishing attacks, cloud application phishing attacks may not throw up red flags.

"Phishing attacks on cloud services can be designed to appear exactly like the service itself. This is in contrast to email where an attacker would not have easy access to the typical language used in company email," Sood said, explaining that a site served up over HTTPS further lends credibility to the phishing site. "Such attacks can even follow the flow of a typical cloud-app use-case. In this case study, the user was presented with a PDF document."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jamieinmontreal
50%
50%
jamieinmontreal,
User Rank: Strategist
8/3/2015 | 11:34:25 AM
Single Sign On Vs Password Synchronization
The old Maxim says "Necessity is the mother of invention", I would add that "convenience is the father".   This is another area where we see the "need" being over-ridden by the "convenience"; the need for password security on everything (legitimate) has been trumped by the convenience of not having to type a few extra characters when logging in.   SSO is a vault of passwords masked by an authentication method and some scripts / APIs to apps, nothing wrong with it until someone figures out how to get in to your vault and take the passwords.

So what's the difference between the vault and the synchronized password?  Surely only one password is more of a risk than several (even if they are all placed in a handy vault for the bad guy to get a hold of)?

First of all the level of complexity for that one password can be higher because now your user has only one password to remember.

Secondly remediation when the password is revealed or hacked is SO much easier with a synchronized password - you simply change one password to clean all systems connected to your Password Manager.   

Compare that with the SSO world where users have multiple passwords they then have to change inside the SSO setup in order to restore the security of their password access.

Finally - no matter what method you choose, stale access rights are the next thing on your agenda as you try and strengthen your defences - users won't tell you what they DON'T need, nor will application owners tell you who should no longer have access.   

Neccessity is the mother of invention, convenience is the father.
LanceCottrell
50%
50%
LanceCottrell,
User Rank: Author
7/28/2015 | 5:42:14 PM
User training will never be enough
Great post, thanks! This attack shows once again that even sophisticated users will fall for phishing attacks. As security experts we need to give up on the idea that we can train our way out of this. While training is useful we need to create our tools under the assumption that user's will do nothing to contribute to their own protection.
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
What Israel's Elite Defense Force Unit 8200 Can Teach Security about Diversity
Lital Asher-Dotan, Senior Director, Security Research and Content, Cybereason,  5/21/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Shhh!  They're watching... And you have a laptop?  
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3018
PUBLISHED: 2018-05-24
The AXIS webapp in deploy-tomcat/axis in IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.1.2 and 7.2.0 through 7.2.1.4 allows remote attackers to obtain sensitive configuration information via a direct request, as demonstrated by happyaxis.jsp. IBM X-Force ID: 84354.
CVE-2013-3023
PUBLISHED: 2018-05-24
IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.1.2 and 7.2.0 through 7.2.1.4 might allow remote attackers to obtain sensitive information about Tomcat credentials by sniffing the network for a session in which HTTP is used. IBM X-Force ID: 84361.
CVE-2013-3024
PUBLISHED: 2018-05-24
IBM WebSphere Application Server (WAS) 8.5 through 8.5.0.2 on UNIX allows local users to gain privileges by leveraging improper process initialization. IBM X-Force ID: 84362.
CVE-2018-5674
PUBLISHED: 2018-05-24
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader before 9.1 and PhantomPDF before 9.1. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw...
CVE-2018-5675
PUBLISHED: 2018-05-24
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader before 9.1 and PhantomPDF before 9.1. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw...