Using the comment feature in Google Docs represents another instance in the evolution of BEC 3.0. Utilizing legitimate sites makes it easy for hackers to end up in the inbox.
And since the sites are the same sites that end-users interact with every day, it won’t raise any of their anti-phishing antennae.
And typical security checks don’t work. You can’t block Google, nor should you. Hackers are leveraging this legitimacy to send illegitimate messages and links.
In this attack brief, Harmony email researchers will show another example of how hackers are utilizing Google’s legitimate services to share illegitimate links.
Attack
In this attack, hackers are utilizing Google pages to send links to fake cryptocurrency sites.
Email Example
This attack starts like many others we’ve written about. All the hacker has to do is create a Google document. From there, the hacker shares the document with the end-user. Like sharing all Google docs, it’s done via email. Google sends the email directly; it comes from a no-reply@google.com address. When the user clicks on the link, they will be redirected to the below Google doc.
This is a legitimate Google Docs page. It’s supposed to be a OneDrive knockoff page, although having it built on Google sort of defeats the purpose.
Regardless, the link that is put on the Google page is where the attack gets you.
That link once again is redirected to a fake crypto currency page, which has been taken down.
Techniques
Business Email Compromise is in the midst of an evolution.
It started with a simple email that spoofs a CEO or another executive. That email type still happens, but it’s starting to get more recognition from end-users–all they have to do is look at the discrepancy in the sender address–and from email security systems.
The next evolution was the partner compromise. You might see this referred to as a supply chain attack or a vendor compromise. They all refer to one of two things: an email that comes from a spoofed partner, or an email that comes from a compromised partner. The latter is a lot more difficult to stop, and probably represents the dominant strain within BEC.
What we’re talking about is where hackers are going next. Hackers never stay on one technique for too long. Sure, they throw the kitchen sink at an organization, but they are always evolving tactics, particularly as email security solutions have spent a lot of money–marketing and otherwise–on BEC.
What they are moving to is what we’re calling BEC 3.0. A perfect example of this is illustrated above. It takes away a lot of the uncertainty that BEC gives to hackers. A successful BEC is not as simple as the attacks of yesterday. With no link or malicious download, you are hoping that an end-user replies, engages and eventually hands over money. It’s not one-and-one. It requires a lot of time and energy. The payoff can be big. But you have to get to the payoff.
BEC 3.0 takes away some of that uncertainty. It requires the best of standard link or attachment-based phishing, with the social engineering that can make BEC so successful. It leverages something we all trust–Google— and processes we all trust–getting a shared document from Google Docs. There is nothing inherently wrong with this. And, as a reminder, there’s nothing wrong with Google here. It’s taking advantage of how email protocols work.
Security professionals have a dilemma. You can’t block Google. Workers will revolt. (Even this briefing was written on Google Docs.) What you can do is change how you evaluate all webpages, not just Google. That requires looking past NLP and actually emulating webpages behind the link. Integrating with browser security can be helpful here, too.
But as hackers shift, so must security professionals, and this shift is starting to happen right now.
Check Point informed Google of this research on July 5th via email.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following: