720-891-1663

Return to the list of client alerts

New Phishing Scam Uses Legit Google Invites to Snare Victims

For several years Microsoft’s Office 365 has been the delivery method of choice for hackers to try and lure you in. In large part, this was because there are like 200 million plus office 365 users.

But, of course, since the hackers got too piggy, Microsoft figured out how to slow them down, which ticked them off.

So, they decided to see if Google had their act together and it turns out that there is a bit of a hole. It is not really Google’s fault because they are using something that is legit, but it is still Google’s problem.

Here is what they are doing and I actually got one of these today. They can be really good.

The hacker creates a Google shared drive and invites you to the drive using some pretense that sounds reasonable. Google allows you to create fancy emails as part of your invite. For example, in my case, they sent me an invite that said that 53% of potentially sensitive files in our Google G Suite Business account were shared outside my organization. It has a bunch of words after that, but the kicker is that at the end there is a link that says view report. So far, actually, no problem.

You click on the link and it takes you to a Google signin page. No, it is not a spoofed sign in page, it is a legitimate one because they are sharing a Google drive. You will only get that if you are not logged into the target Google account. Still no problem.

So then Google will display a document. Might be a spreadsheet or a document or even a presentation. Still no malware.

But in that document is a link to click and that is where the malware comes in. Both Google and Microsoft have been challenged as to how to protect you from that because the link is executed inside your browser and outside their world and it might redirect you a bunch of times to mask what they are doing.

The initial email is not stopped because it is legitimately coming from Google. For more details, here is a Wired article on the attack, but to be honest, the attack is simple – don’t click on stuff. Hard to get people not to do that though.

It appears that the hackers are sending these out by the boatload with different subjects and different documents and different Google accounts. No one common theme.

That one had a G-Suite theme because I have a G-Suite account, but there are other themes that do not assume you are a Google customer. Basically, an unlimited universe of possibilities.

Consider yourself warned.