Normally when a user shares a Google Doc. file with someone, there is usually an email sent to the recipient with an attached link to the document or push notification as well that alerts the user about the incoming email. But now attackers have attempted to expose the similar process by sending mobile users Google Docs notifications of emails that hold the invitation for them to collaborate on certain documents and as soon as a user opens that particular Google Doc, inside it are malicious links.
The chances of users clicking on the link is very high as the notifications appear legitimate as if they have actually come from Google’s no-reply email address. The attackers have also another strategy to conduct the attack as they send the malicious links via Email so that users click on them assuming as if it is something Google has officially sent them.
According to the reports, the attack has already targeted hundreds of thousands of Google users and there is still room for more, despite the notifications appearing in Russian or broken English.
A recent proof of it was given by a cybersecurity expert Jake, who shared on Twitter how he was asked to open a Google Sheets slide by an email and he even received a notification of it on phone.
Another surprising thing about these Google Drive notifications is that they appear with varying lures. A lot of them get titled something like “personal notification” from Google Drive and inform the victim about how they haven’t signed into their account in quite some time and as a result, the account may get deleted within 24 hours. And then the only way to save their account is by clicking on the malicious link to sign in.
Interesting TTP utilising Google Sheets, ultimately ending up with generic prize scams🎁
— Jake (@JCyberSec_) October 21, 2020
Google sheets slide was shared with an email address causing a pop-up notification on mobile.
Link leads to 🌐https://clck[.ru/RWen6 pic.twitter.com/RZPQNxuV0Y
Anybody else got this phishing Slides doc?
— Shaakunthala | ශාකුන්තල 🇱🇰 (@shaakunthala) October 28, 2020
It's different from anything I've seen so far, because,
The mail notification went straight to the spam box. ✅
But, Google Drive was unable to block the Drive notification. ❎#Phishing #PhishingAlert @googledrive @googledocs pic.twitter.com/Nvh6ndLGl9
I got a fresh phish via Google Drive Slides.... Phone popped a gdrive notification that I was mentioned in a drive doc. There is a constant flow of people viewing the document, I reported to google. Obviously don't click the link to httpx://clck.ru/RZcdQ pic.twitter.com/k0uIExghU4
— Landon #WearAMask 🇺🇲 (@landonchelf) October 30, 2020
I've received a few of these emails in the last two weeks. It's a serious breach because the Google Drive/Docs notifications actually come from Google's no-reply email address.
— Abubakar Idris (@IAtalkspace) November 1, 2020
I knew the notifications were scams because I wasn't expecting any shared doc. Be careful guys. https://t.co/qKppMASZcg
There was another notification with the similar title of “Personal Notification No 0684,” that alerted users of an “important notice” of a financial transaction which they can see on their personal account, through the given link.
One email acted as a part of “Chrome Search contest 2020” and informed the victim about their win in becoming the 5-billionth search and how they can now claim their prize by clicking on the link.
All of the links lead victims to only one place - malicious scam websites. Once users opened the websites, some of them flooded the screens with click on links for “prize draws,” and some further asked the victim to click on links to “check the bank account.”
Few of the wise users were intelligent enough to inform others about the scam on Twitter and also confessed that they weren’t expecting a shared document to appear which served as the red flag.
In response to this emerging threat, a spokesperson from Google has come out in public to tell that the company is working on new security measures to detect Google Drive spams for the future. They are well aware of how attackers now want to take the best advantage of the remote-work culture and products that Google offers have come in pretty handy for them.
Not very long ago in May, researchers also warned the company about a new series of phishing campaigns being prepared by attackers that were based on using Google Firebase storage URLs.
There was also another warning for October in which the phishing campaign revolved around automated messages coming from Microsoft Teams. While the attack did happen, there was one big change in it as the login credentials of Office 365 recipients were stolen as a result.
Nevertheless, it doesn’t matter what the scam is, all of them are hinting towards the need for users to identify email-borne attacks which can only happen if they educate themselves about it or organizations take up the responsibility to do so.