Skip to main content

Scammers Abuse Google Drive to Send Malicious Links


Cybercriminals are sending malicious links to hundreds of thousands of users via Google Drive notifications.

Scammers are leveraging a legitimate Google Drive collaboration feature to trick users into clicking on malicious links.

According to reports,, the recent attack stems from Google Drive’s legitimate collaboration feature, which allows users to create push notifications or emails that invite people to share a Google doc. Attackers are abusing this feature to send mobile users Google Drive notifications that invite them to collaborate on documents, which then contain malicious links.

Because they are sent via Google Drive, the notifications come from Google’s no-reply email address, making them appear more legitimate. Other iterations of the attack are sent via email (instead of by notification) and include the malicious link right in the email.

Interesting TTP utilising Google Sheets, ultimately ending up with generic prize scams,” said a cybersecurity expert who goes by Jake (or @JCyberSec) on Twitter. “Google sheets slide was shared with an email address causing a pop-up notification on mobile.”

Interesting TTP utilising Google Sheets, ultimately ending up with generic prize scams🎁
Google sheets slide was shared with an email address causing a pop-up notification on mobile.
Link leads to 🌐https://clck[.ru/RWen6 pic.twitter.com/RZPQNxuV0Y
- Jake (@JCyberSec_) October 21, 2020


The attack is targeting hundreds of thousands of Google users, according to WIRED. The report said that the notifications are being sent in Russian or broken English.

The Google Drive notifications come with various lures. Many purport to be “personal notifications” from Google Drive, with one lure entitled “Personal Notification No 8482” telling the victim they haven’t signed into their account in awhile. These threaten that the account will be deleted in 24 hours unless they sign in via a (malicious) link. Another, entitled “Personal Notification No 0684,” tells users they have an “important notice” of a financial transaction that they can view on their personal account, via a link.

One purports to be a run-of-the-mill prize scam that pretends to be part of a “Chrome Search contest 2020” and tells victims that they are the 5-billionth search and have won a prize.

These links take victims to malicious scam websites. WIRED reported that one such website flooded users with notifications to click on links for “prize draws,” while other websites requested that victims click on links to “check their bank account.”

Targeted users took to Twitter to warn of the scams, with one Twitter user saying that the only red flag of the scam was that he wasn’t expecting a shared doc.

I’ve received a few of these emails in the last two weeks. It’s a serious breach because the Google Drive/Docs notifications actually come from Google’s no-reply email address.
I knew the notifications were scams because I wasn’t expecting any shared doc. Be careful guys. https://t.co/qKppMASZcg
- Abubakar Idris (@IAtalkspace) November 1, 2020


A Google spokesperson told WIRED that the company is working on new security measures for detecting Google Drive spam. Threatpost has reached out to Google for further comment.

With the prevalence of working from home due to the coronavirus pandemic, attackers are increasingly leveraging collaboration and remote-work tools, including Google offerings. In May, researchers warned of a series of phishing campaigns using Google Firebase storage URLs. These used the reputation of Google’s cloud infrastructure to dupe victims and skate by secure email gateways. Meanwhile, researchers in October warned of a phishing campaign that pretends to be an automated message from Microsoft Teams. In reality, the attack stole Office 365 recipients’ login credentials.

“This scam wave highlights the need for users to be on the lookout for email-borne attacks,” according to Tripwire researchers. “Organizations can help their users in this regard by educating them about some of the most common types of phishing attacks that are in circulation today.”

Originally published at https://threatpost.com on November 2, 2020.


Comments

Popular posts from this blog

Ransomware's Dangerous New Trick Is Double-Encrypting Your Data

  Ransomware groups have always taken a more-is-more approach . If a victim pays a ransom and then goes back to business as usual-hit them again. Or don’t just encrypt a target’s systems; steal their data first, so you can threaten to leak it if they don’t pay up. The latest escalation? Ransomware hackers who encrypt a victim’s data twice at the same time. Double-encryption attacks have happened before, usually stemming from two separate ransomware gangs compromising the same victim at the same time. But antivirus company Emsisoft says it is aware of dozens of incidents in which the same actor or group intentionally layers two types of ransomware on top of each other. “The groups are constantly trying to work out which strategies are best , which net them the most money for the least amount of effort,” says Emsisoft threat analyst Brett Callow. “So in this approach you have a single actor deploying two types of ransomware. The victim decrypts their data and discovers it’s not act...

Babuk ransomware is back, uses new version on corporate networks

  After announcing their exit from the ransomware business in favor of data theft extortion, the Babuk gang appears to have slipped back into their old habit of encrypting corporate networks. The criminals are currently using a new version of their file-encrypting malware and have moved the operation to a new leak site that lists a handful of victims. Gang’s still in the game The Babuk ransomware group became known at the beginning of the year but the gang says that their attacks had started in mid-October 2020, targeting companies across the world and demanding ransoms typically between $60,000 and $85,000 in bitcoin cryptocurrency. In some cases, victims were asked hundreds of thousands for data decryption. One of their most publicized victims is the Washinton DC’s Metropolitan Police Department (MPD). This attack likely pushed the threat actor into announcing its retirement from the ransomware business only to adopt another extortion model that did not include encryption....

Microsoft Teams Phishing Attack Targets Office 365 Users

  Up to 50,000 Office 365 users are being targeted by a phishing campaign that purports to notify them of a “missed chat” from Microsoft Teams. Researchers are warning of a phishing campaign that pretends to be an automated message from Microsoft Teams. In reality, the attack aims to steal Office 365 recipients’ login credentials. Teams is Microsoft’s popular collaboration tool, which has particularly risen in popularity among remote workforces during the pandemic  — making it an attractive brand for attackers to impersonate. This particular campaign was sent to between 15,000 to 50,000 Office 365 users, according to researchers with Abnormal Security on Thursday. “Because Microsoft Teams is an instant-messaging service, recipients of this notification might be more apt to click on it so that they can respond quickly to whatever message they think they may have missed based on the notification,” said researchers in a Thursday analysis . The initial phishing email displays the name ...