Security researchers are warning about a new phishing campaign that exploits Google Docs. The campaign sends specially crafted links that steal victims’ credentials.
A new campaign that exploited Googles hosted document service was discovered by researchers at email and collaboration security firm Avanan. The exploit lets attackers send emails with malicious links, according to a report published Thursday by Jeremy Fuchs, marketing content manager for Avanan.
Previously, Avanan have seen attackers use the same attack vector in smaller services such as MailGun, FlipSnack, and Movable Ink. But this is the first time attackers use this type of exploit in Google’s hosted document service.
The attack begins with an email that asks users to click a link that opens a page familiar to anyone using Google Docs, Fuchs said. In fact, it’s a phishing website, which steals the victim’s credentials using another web page that looks like the Google Login portal but hosted from an attackers’ URL.
“This, however, isn’t that page,” he wrote. “It’s a custom HTML page made to look like that familiar Google Docs share page.”
The trick to creating an attack vector is to use Google Docs, so that all the heavy lifting is done by Google Docs, which is very simple to do, according to Fuchs. An attacker would create a web page that looks like a Google Docs sharing page and upload that HTML file to Google Drive. After scanning the file, Google would then render the HTML and show a preview of the page. An attacker can then right-click on the file and open it in Google’s Docs to get embed codes used to later share the page to victims:
“This is the clever bit because if you simply click ‘Get link’ you would only see the source code of the file, not the rendered version,” he wrote. By abusing Google Docs, attackers can successfully create a preview of the the page rather than deliver a page with just source code to a potential victim, which would not work.
One more step is needed so that victims can see the page. This step can be done by clicking the Publish to Web button in the Google Docs menu. Google will provide embed tags that attackers can use—sans the iframe tags—to save the malicious link intended to be sent via the phishing campaign.
“This link will now render the full HTML file as intended by the attacker and it will also contain the redirect hyperlink to the actual malicious website,” Fuchs explained.
Researchers say by hosting attacks on Google Docs, attackers can easily exploit the security weaknesses of link scanners and evade detection by common security tools.