New form-based attacks use Google-branded sites to steal logins

form-based attacks
Photo by mihtiander

A new type of brand impersonation attack is disproportionately using Google-branded sites to trick victims into sharing login credentials, according to new research from Barracuda, a provider of cloud-enabled security solutions.

Detecting nearly 100,000 cases of this style of attack in the first four months of 2020, the new form-based attacks make up 4% of all spear phishing attacks during the period; a number which researchers expect to climb as cybercriminals see success in harvesting credentials with these attacks.

As a key financial hub for the Asia-Pacific region, with fast connectivity and thriving business community, Singapore is an attractive target for cybercriminals looking to exploit any vulnerability in order to make a fast buck.

The form-based attacks are a new kind of brand impersonation attack, which sees scammers leveraging productivity sites like docs.google.com or sway.office.com to convince victims to hand over their credentials.

In these attacks, unsuspecting users receive an email that appears to have been generated automatically by file sharing sites like OneDrive, and are taken to a phishing site through a legitimate file sharing site, which makes them particularly hard to detect.

Attackers also create online forms using legitimate services like forms.office.com, which resembles a login page of a legitimate service, and the link to the form is then included in phishing emails to harvest login details.

In one particularly tricky variant of these attacks, hackers can get access to their victims’ accounts without stealing their credentials, by sending phishing emails containing links to what looks like an authentic login page, which contains a request for an access token for an app. After login credentials are entered, the victim is presented with a list of app permissions to accept. By accepting these permissions, the victim is not giving up passwords to attackers, but rather grants the attacker’s app an access token to use the same login credentials to access the account.

Attacks like these are likely to go unnoticed by users for a long time, as the user used their credentials on a legitimate website. Even two-factor authentication will do nothing to keep attackers out because their malicious app was approved by the user to access accounts.

Of the nearly 100,000 form-based attacks Barracuda detected between January 1, 2020, and April 30, 2020, Google file sharing and storage websites were used in 65% of attacks. This includes storage.googleapis.com (25%), docs.google.com (23%), storage.cloud.google.com (13%), and drive.google.com (4).

In comparison, Microsoft brands were targeted in 13% of attacks: onedrive.live.com (6%), sway.office.com (4%), and forms.office.com (3%). The other sites used in impersonation attacks include sendgrid.net (10%), mailchimp.com (4%), and formcrafts.com (2%). All other sites made up 6% of form-based attacks.

Cybercriminals continue to adjusting their tactics to bypass email gateways and spam filters, so instead of relying solely on looking for malicious links or attachments, using an API-based inbox defence, which uses artificial intelligence to detect and block attacks, hand in hand with Multi-factor authentication (MFA), such as an authentication code, thumbprint, or retinal scan, can give you the best chance of staying protected.

And as with all attacks, your people are your first line of defence, so providing regular security- awareness training including phishing simulation to educate users about email attacks, including form-based attacks, will help them to recognise and report cyberattacks while giving you more peace of mind that your business and its data is in safe hands.

Be the first to comment

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.