Check Point Email Security | Blog

Attack Report: Google Redirect

Written by Michael Landewe | February 21, 2017

Avanan recently received this email from the CISO of DEFENSCON, a think tank that works with some of the most sensitive government organizations and private defense contractors. (We have changed the actual company and user names to protect their identities.)

In short, someone had compromised the email account of one of their employees, Jack Percell, and sent a phishing email to every single one of his contacts—contacts within the deepest corners of U.S. government and defense organizations.

What Made This Attack Interesting

This attack looks like thousands of similar phishing attacks and this blog post describes how it appeared from the victim’s point of view.

What makes it interesting is the fact that everything user sees is rendered within the browser using obfuscated functions that transfer no html. Inline proxies, URL filters, reputation filters, phishing detectors all miss this attack. Obfuscated over 6 layers deep, it demonstrates a sophistication beyond what you see here.  You can download the technical analysis here.   

What the Attack Looked Like from the Victim’s Point of View 

The phishing email itself was deceptively simple—a blind carbon copy (BCC) email to every one of the email account holder’s contacts. In this attack, the criminals did not compile their own list, but identified an individual that would have potential victims in their address book.

Because this think tank worked almost exclusively with both government departments and defense contractors, the likely goal of this attack was to compromise a beachhead account within any one of these organizations. In fact, we might assume that the sender of these emails was not the originator of the attack, but a few degrees of separation from the originator, most likely the compromised account of a trusted colleague or partner. We will learn more about the ultimate aim of the attack when analyzing the last two steps in the chain.

This email looked like any other normal email: it was sent from a legitimate account to people who had received multiple emails before. While we are normally wary of BCC emails sent to a list of undisclosed recipients, there was nothing in the header or otherwise to distinguish it as suspicious.

Upon inspection, the message was similar to ones that we’ve found the most effective at fooling people into opening a malicious attachment:

  • Short: not enough detail to identify suspicious dialects, spelling, or spam-like phrases
  • Urgent: increases open rates
  • Complete: with the user’s signature, in this case, one we knew and recognized
  • Trusted: with the “scanned by Norton” assurance
  • Contextual: the Google Doc image makes sense, given what happens next

 

The reason for sending email from a compromised account is to bypass the spam and phishing filters that have become more adept at stopping email from unknown accounts and spoofed servers. Every single recipient in this attack had received multiple messages from this sender and a quick look into both the headers and our own filters revealed that the message was signed, authenticated, and deemed “neutral” by each of the each of the SMTP servers in its path.

While a BCC message to “undisclosed recipients” might be a red flag to some systems, this was a well-known and previously trusted sender.

Deceive and Click

The start of the attack chain is the image itself, cleverly disguised as a Google Doc attachment. When the recipient mouses over the Google Doc version of the shared PDF file, it points to https://goo.gl/6g6sp8, an HTTPS link to a trusted Google URL shortener used for Google documents. Because Google’s own URL shortener is used legitimately by millions every day, recipients are conned into trusting this is a legitimate file, and more likely to click on it. We have found that each attack wave uses a new URL, so blocking one cannot block the next.

Surrender and Attack

Once recipients clicked on the “Google Doc,” they were presented this screen, which looks like a normal Google login screen. 

This screen is not a surprise to anyone who has ever used Google. In fact, the next few screens duplicate the standard Google login process. They include a number of sophisticated form libraries that check for a valid email address and spread the login process over multiple screens, just like Google:

The scam even has the temerity to inform you that the password you entered was wrong and requests your phone number and recovery email at the end:

We have all rushed at entering information and gotten it wrong, so there is nothing suspicious about “Google” letting us know it needs more information to validate the account. The problem is, it’s not Google, and users haven’t figured that out yet at this point in the process.


If the user fills in a phone number and clicks continue, they are redirected to a 356-page PDF from the World Bank. This is a perfectly innocuous file, free of malware, but no doubt confusing to the recipient.

Download the Full White Paper of This Attack

For a comprehensive look at this attack, and how to prevent it, download the PDF white paper entitled, Sophisticated Phishing Attack Wreaks Havoc: What You Can Do to Avoid Being Compromised. Click the button below to get your copy today.