Scammers target Google Docs and Microsoft Sway to steal user credentials: Barracuda Networks

Pune: Security solutions provider Barracuda Networks said its researchers have identified a new type of brand impersonation attack that is disproportionately using Google-branded sites to trick victims into sharing login credentials.

Of the nearly 100,000 form-based attacks detected between January 1 and April 30, Google file sharing and storage websites were used in 65% of attacks, making up 4% of all spear-phishing attacks in the first four months of 2020.

In this type of brand impersonation attack, scammers leverage file, content-sharing, or other productivity sites like docs.google.com or sway.office.com to convince victims to hand over their credentials.

“There has been an exceptional spike in cybersecurity threats and an increase in a variety of phishing campaigns. While phishing tactics are common in nature, this is a new kind of form-based attack that our researchers have been steadily detecting throughout the beginning of the year. They are expecting the numbers to increase going forward as cybercriminals are successfully able to harvest credentials with these attacks,” said Murali Urs, Country Manager, India at Barracuda Networks.

The attackers are impersonating emails that appear to have been generated automatically by a legitimate file-sharing site such as OneDrive and takes their victim to a phishing site through a legitimate file-sharing site. Sometimes, an online form is created using a legitimate service and the link is then included in phishing emails to harvest credentials. These impersonation attacks are difficult to detect because they contain links pointing to legitimate websites that are often used by organizations.

In the recent form-based attacks reported by Barracuda researchers, the attackers leveraged 25% storage.googleapis.com, 23% docs.google.com, 13% storage.cloud.google.com and 4% drive.google.com.

In comparison, Microsoft brands were targeted in 13% of attacks - onedrive.live.com (6%), sway.office.com (4%), and forms.office.com (3%).

The other sites used in impersonation attacks include sendgrid.net (10%), mailchimp.com (4%), and formcrafts.com (2%).

All other sites made up 6% of form-based attacks.