A wave of phishing attacks has been generated within Google’s cloud-based word processing solution (Google Docs) and its “Comments” feature. Attackers use the commenting feature to send malicious links to anyone’s email inbox. What’s worse, the comment appears to come from anyone hackers want it to be. In other words, a hacker can send a malicious link to you from your best friend on social media, and nothing stops that email from landing in your inbox supposedly sent by your best friend. Hackers have hit 1000s of inboxes by exploiting this Google Doc’s feature according to online reports. This is a gold mine for hackers.
Hackers target Google Docs users by adding a comment to a document that mentions the targeted user with an “@,” which automatically sends an email to that person’s inbox. That email, which comes from Google, includes text as well as potentially malicious links. What makes this attack so dangerous, is that normally Google and Outlook filter out malicious links within an incoming email. However, in these “comments” based attacks, the phishing emails bypass email security checkpoints because they are coming from a trusted source, Google.
Side note: Security researchers reported the same outcome when attempting to exploit Google Slides, the suite’s presentation app.
As shown below in the same test email CyberHoot created, It’s difficult to do your proper ‘phishing checklist‘ when receiving these malicious emails; the email address of the sender isn’t shown, just the name of the attacker, which allows bad actors to impersonate legitimate entities to target victims. For example, a hacker can create a free Gmail account, such as Johnny.Hacker@gmail.com. They can then create their own Google Doc, comment, and send whatever they like to their intended target.
The malicious intent of the Comment is difficult to catch because the end-user will have no idea whether the comment came from Johnny.Hacker@gmail.com or Johnny.Hacker@company.com. The email will just say ‘Johnny Hacker’ mentioned you in a comment in the following document. If ‘Johnny Hacker’ is a coworker, it will appear legitimate. The email contains the full comment, along with links and text, meaning the victim never has to go to the document, the payload is in the email itself.
All it takes is the attackers setting up a fake Google login landing page, so when the end-user clicks the link, they will be prompted to enter their credentials on the ‘Google’ credential-harvesting site, sending everything to the hackers.
CyberHoot recommends that users always cross-reference the email address in the comment to ensure it’s legitimate before clicking on a Google Docs comment. Users can open the Google Document, and hover their mouse over the commenter’s name to see the full email address with their full name.
CyberHoot also recommends that end-users are always following best practices when dealing with potential phishing emails like watching out for:
Additionally, these recommendations below will help you and your business stay secure with the various threats you may face on a day-to-day basis. All of the suggestions listed below can be gained by hiring CyberHoot’s vCISO Program development services.
All of these recommendations are built into CyberHoot the product or CyberHoot’s vCISO Services. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.
Sources:
Additional Reading:
Researchers Discover Google Docs Comment Exploit
Hackers Exploiting Flaws in Google Docs’ Comments Feature
Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.
Stop tricking employees. Start training them. Take Control of Your Security Awareness Training with a Platform...
Read moreA recent discovery by cybersecurity firm Oligo Security has unveiled a series of critical vulnerabilities in...
Read moreGet sharper eyes on human risks, with the positive approach that beats traditional phish testing.