Cyber criminals are turning their attention to cloud-based services to steal credentials as the use of cloud-based documents becomes increasingly popular, say researchers at security firm Proofpoint.
Stealing credentials from Google Apps in phishing campaigns is among the most common email-borne threats Proofpoint currently detects.
Organisations that have adopted Google Apps for regular internal use are particularly susceptible to this threat, the researchers said in a blog post.
In one recent attack, cyber criminals used a very realistic Google docs shared document landing page that differed from the authentic page only in the fact that it was delivered using the standard hypertext transfer protocol (http) and not the secure version of the protocol (https).
Anyone who fails to notice this warning sign and clicks the document download button is presented with a realistic looking Google login page.
Read more about phishing attacks
- The consequences of phishing attacks could fall on the victims as enterprises start to punish employees who fall for this age-old scam
- Hackers are stealing Google account passwords using a phishing attack that bypasses heuristic detection, warns Bitdefender
- A high proportion of cyber attacks, including those against Scada control systems, are enabled by phishing attacks
Hackers cast nets wide
In addition to Gmail, the fake login page supports logins for other webmail services such as Yahoo, Hotmail, AOL.
Proofpoint researchers said this enables the attackers to extend their reach by allowing a wider range of credentials.
While phishing attacks normally drop the pretence after the victim has submitted their credentials, in this case, an actual document is displayed after the login process.
This technique reduces the risk that a user will realise right away that something was amiss and giving the attackers more time to make use of the stolen credentials, the researchers said.
Another advantage of launching credential phishing campaigns from compromised Google accounts is that a relatively minor effort delivers highly believable, targeted phish due to the ability to copy the victim’s contacts list and use it for subsequent phishing campaigns.
Hackers target finance sector through hospitality phishing
The researchers found a similar attack technique that uses a fake Dropbox document to capture credentials for the cloud-based document-sharing service.
Like the Google Apps credential phish, the login page shown to the recipient is perfectly credible.
One particular cloud-document phishing campaign using this technique initially targeted organisations in the advertising and hospitality sectors, and then used these to target businesses in the financial sector.
Underscoring the relative value of this technique, the researchers said that copying email addresses from the advertising and hospitality services executive accounts led to targeting executives in the finance sector in successive rounds of phishing emails.
The researchers said hacking via cloud-based document services and application accounts adds still more options to the value of a hacked email account by creating more opportunities to create campaigns that are at once more targeted, more effective and more lucrative.
They predict that credential phishing with cloud-based documents will continue to grow in popularity, as attackers use its advantages to stay ahead of defences that are often still focused on well-known and easily defeated techniques.