Attackers are using a new technique to exploit Google Docs for phishing attacks. The attackers are taking advantage of the fact that Google Docs automatically renders HTML code, so a Google doc can act as a landing page to direct the user to the real phishing page. The researchers describe one example in which the doc appeared to be a file share page.
This Google Docs page may look familiar to those who share Google Docs outside of their organization. This, however, isn't that page. It's a custom HTML page made to look like that familiar Google Docs share page.
The attacker wants the victim to "Click here to download the document" and once the victim clicks on that link, they will be redirected to the actual malicious phishing website where their credentials will be stolen through another webpage made to look like the Google login portal."
The researchers describe another attack in which the Google doc itself acted as a phishing page. This doc appeared to be a DocuSign login page. The login form contained an embedded listener that would send the user's password to the attacker.
The links are distributed via phishing emails. Since the emails only contain a link to a Google doc and not a website, they're more likely to evade detection by security filters. It seems that more attackers will likely adopt this technique in the future.
Hackers are bypassing static link scanners by hosting their attacks in publicly known services, the researchers write. We have seen this in the past with small services like MailGun, FlipSnack, and Movable Ink, but this is the first time we're seeing it through a major service like Google Drive/Docs.
Hackers are constantly evolving their tactics to slip past technical defenses. At Right-Click we stay up to date on the current hacking trends to know how to best keep your computers safe!