Attackers Fooled Google Spam Engine With Phishing Emails That Lured Victims to Google Drive-Hosted Malicious Web Pages Used to Steal Users’ Credentials
Elastica (www.elastica.net), the leader in Data Science Powered™ Cloud Application Security, released findings around a new Google Drive-based advanced phishing campaign initiated by unknown attackers. The attackers used JavaScript code obfuscation and compromised websites in order to steal end-user account credentials using Google services.
According to Elastica researchers, the attackers deployed a JavaScript encoding mechanism to obfuscate Web page code that could not be easily read. Attackers were able to reach a wider network of end users by exploiting a widely used and highly trusted enterprise tool such as Google Drive to host malicious Web pages, where attack victims were directed. In this case, the attackers used Gmail to distribute emails containing links to unauthorized Web pages hosted on Google Drive, and then stored stolen credentials through a third-party domain.
Though researchers are uncertain whether the Gmail account was compromised or if attackers created a false account, the phishing emails were delivered successfully and undetected by Google’s built-in spam engine. This is most likely because the emails were sent from what appeared to be an authentic Google account and the embedded link pointed to “googledrive.com.”
When Elastica reported it to Google two weeks prior to this announcement, all the components in this phishing attack were working. Though the phishing Web pages have been reported to Google, they are currently still active and have not yet been removed.
“In this particular incident, attackers were able to circumvent tight security controls and target Google users specifically to gain access to a multitude of services associated with Google accounts,” said Dr. Aditya K Sood, architect of Elastica Cloud Threat Labs. “While the cloud offers unprecedented benefits to its users, it is challenging the traditional security model and necessitating a modern, flexible security stack designed to provide protection in a perimeterless world.”
Because the phishing Web pages are hosted on Google Drive, standard blacklisting using IP addresses and URLs is ineffective. Traditional intrusion detection and prevention systems cannot provide defense in these types of scenarios either. Credentials stolen in these attacks can be used by attackers themselves or sold on the digital black market to buyers who then use them for malicious purposes.
“Security and risk professionals are quickly learning that legacy security solutions are no longer effective for cloud applications,” said Rehan Jalil, CEO, Elastica. “Elastica applies machine learning for user behavior modeling that can detect malicious activities inside cloud applications and can thwart cloud access breaches.”
Major enterprises, including Fortune 50 companies, rely on Elastica CloudSOC to ensure safe and secure use of their enterprise SaaS and cloud applications.
About Elastica
Elastica is the leader in Data Science Powered™ Cloud Application Security. Its CloudSOC™ platform empowers companies to confidently leverage cloud applications and services while staying safe, secure and compliant. A range of Elastica Security Apps deployed on the extensible CloudSOC™ platform deliver the full life cycle of cloud application security, including auditing of shadow IT, real-time detection of intrusions and threats, protection against intrusions and compliance violations, and investigation of historical account activity for post-incident analysis. Elastica is venture-backed by the Mayfield Fund, Pelion Ventures, Third Point Ventures and is headquartered in San Jose, CA.
