Google Workspace comments are being used by crypto scammers to bait targets

Gil Friedrich’s cybersecurity company, Avanan, has recently identified a campaign led by scammers to lure users into cryptocurrency scams. According to the company, the business email compromise (BEC) was able to trap almost 1,000 businesses in just 14 days; on average, this means that seventy businesses were targeted each day.

The American-Israeli software house Check Point said that the scam campaign was still happening when the incidents were reported.

What makes the malicious campaign different from other such campaigns is that it can utilize genuine services and does not require them to mimic any brand. In their report, Avanan said that attackers take advantage of the comments option available in Google Workspace to deliver spam redirects. The website link used by the scammers is generated by Google Script, a computer program that helps create business apps. From the redirect, the victim reaches the malicious cryptocurrency site.


The whole operation starts with the creation of a Google account by scammers, which is then used to post comments through Google Sheets, and from the comments, malicious URLs are added. Later on, the potential victims are lured in to open the attached URL. As soon as the links are opened, the targets find themselves on the malicious website, where they are welcomed by the attackers. The attacks can either be direct, where passwords are stolen in an instant, or their accounts will be used for mining.

However, Avanan also identified a weakness in the whole malicious campaign. According to the software company, the scammers’ wordings are grammatically incorrect. The company also revealed that such attacks are getting more frequent as scammers have started to use trusted methods to carry out their activities. Furthermore, once a user has been trapped, they will receive a real invoice carrying directions from the attackers. These invoices will be generated by PayPal.

What’s alarming is that, due to trusted services, the whole fraudulent method will be carried out legitimately. This is why not only the users but even security providers won’t be able to identify them as scams. The only way to minimize the number of attacks is to cross-check the email addresses available in the comments. They further instructed users to check for grammatical errors. If the user is still confused about the message’s authenticity, they can ask the sender directly whether it was directed at them or not.

Read next: 99% of Cybersecurity Pros Are Worried About Email Security
Previous Post Next Post