Cybercriminals using genuine Google Drive feature to spread malicious links

Cyberattacks have been a cause of concern ever since technology came into existence. These attacks are hazardous for everyone, be it large industries or common individuals. The attackers continuously come up with new ways of spreading viruses, trojans, malware etc. And at a very basic level, they steal crucial data which is then sold on the dark web. The most popular technique to spread this malware is phishing. It is simple to use and is much effective, which is why the majority of cybercrimes are done through this technique.

This time as well, cybercriminals are using phishing to trick users into clicking on malicious links. Scammers are abusing a legitimate Google Drive feature to distribute malicious links. Various reports reveal that the feature that is being exploited is Drive’s collaboration feature. It allows users to create notifications or emails to invite people to work on a shared document. The feature also notifies users if they are tagged or mentioned by the sharer. Satnam Narang, Staff Research Engineer at Tenable says, “Scammers are abusing a legitimate feature built into the Google Drive service used to notify users when they have been mentioned within a Google Drive document or slide. Users won’t be able to access the document, but they will receive in-app notifications on Android or emails sent originating from Google itself, making it appear more legitimate to the end-user.”

He adds, “These notifications and emails will contain a shortened URL that redirects them to a variety of spam and scam sites. Because this is part of a legitimate feature within Google Drive, Google will have to determine how best to address this on the product side. For end-users, one thing they could do is filter all emails sent from “comments-noreply@docs.google.com” to Trash until this issue is resolved.”

The scammers are using this characteristic to send push notifications to users, asking them to collaborate on a document. The shared document hence contains malicious links. In other forms of this attack, an email is sent rather than a notification. The malicious link is attacked in the email itself.

How is this attack different from any other phishing attack?

What makes this attack worse is that it is being sent under Google’s name. The email comes from Google’s no-reply email address. Thus, making it almost impossible to detect if it’s a scam. Google, in itself, is a renown brand and it is too hard to judge or question its security features. Attackers, this time, were smart enough to use the tech giant’s name as it would become much easier to trick users. The immense amount of trust that users have in Google’s security made it difficult for them to identify the danger that was hiding behind.

How is this attack similar to other phishing attacks?

Till now, hundreds of thousands of Google users have been targeted by this attack. Among which, some users were smart enough to not click on any of the links, despite seeing Google’s name. And that is what is required to stay safe in case of phishing attacks. Like most phishing cases, this time as well, the notifications and emails were sent in Russian or broken English which makes the possibility of scam quite obvious; only a little attention is required.

Usually, phished emails share common traits, like misspelt words, incorrect grammar, luring or warning messages, offers etc. Victims reported that Google Drive emails and notifications contained various lures. The notifications purported to be ‘personal notifications’ from G Drive, with one lure entitled “Personal Notification No 8482”, telling the victims they haven’t signed into their accounts in a while. They also threatened that accounts will be deleted in 24 hours, if not logged in. All this typical phishing email content in the notifications indicated that there may be something “fishy”.

A Google spokesperson told WIRED that the company is working on new security measures for detecting Google Drive spam. While the work is under progress, it’s hard to know how much time it may take. Thus, end users are recommended to filter all emails sent from “comments-noreply@docs.google.com” to Trash until this issue is fixed by the company.