Scammers taking advantage of Gmail, Google Drive users’ trust

Cloud services, mobile devices are easy pickings for hackers hoping to steal personal data

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Some 500 mil­lion peo­ple use Gmail and Google Dri­ve. I’m one of them.

Gmail and Google Dri­ve are won­der­ful for com­mu­ni­cat­ing and col­lab­o­rat­ing. But it turns out they’re also ide­al tools for hack­ing into your com­put­ing device.

Bad guys on the cut­ting edge have dis­cov­ered this. And their suc­cess so far indi­cates attacks manip­u­lat­ing Google’s pro­duc­tiv­i­ty platform—and sim­i­lar­ly exploit­ing oth­er pop­u­lar cloud-based busi­ness tools—are des­tined to progress on an upward curve.

This devel­op­ment should not come as a big sur­prise. Cyber crim­i­nals are quick to rec­og­nize fresh oppor­tu­ni­ties cre­at­ed by our head­long rush to use cloud ser­vices and mobile devices with­out giv­ing due con­sid­er­a­tion to secu­ri­ty and pri­va­cy.

Intel­li­gence about the lat­est iter­a­tion of hack­ing comes cour­tesy of secu­ri­ty start­up Elas­ti­ca.

Fly­ing under the radar

Researchers at Elas­ti­ca this sum­mer dis­cov­ered scam­mers using Gmail accounts to send mes­sages craft­ed to fool recip­i­ents into down­load­ing cor­rupt­ed Pow­er­Point pre­sen­ta­tions stored on Google Dri­ve. They were thus able to slip the mali­cious Pow­er­Point file past mal­ware detec­tion fil­ters.

Video: Viral Gmail, YouTube alerts spread­ing via email

Anoth­er tac­tic dis­cov­ered by Elas­ti­ca involved scam­mers open­ing free Gmail accounts from which they sent out spoofed mes­sages trick­ing recip­i­ents into vis­it­ing a web­site they con­trolled host­ed on Google’s own servers. Because the bad guys’ web­site was host­ed on Google servers, it was deemed trust­wor­thy, mak­ing it eas­i­er for them to trick vis­i­tors into divulging account logons.

Any hack­er can tell you that once you get some­one to down­load a cor­rupt­ed file, or get them to nav­i­gate to a web­site you con­trol, the rest is com­par­a­tive­ly easy. At that point the tar­get is a half-step away from being owned.

Keys to the (data) king­dom

Eric Andrews, Elastica marketing vice president
Eric Andrews, Elas­ti­ca mar­ket­ing vice pres­i­dent

In the cloud envi­ron­ment, the user­name and pass­word becomes all pow­er­ful, almost all these appli­ca­tions use some sort of user­name and pass­word as a way to get in,” says Eric Andrews, Elastica’s mar­ket­ing vice pres­i­dent. “Once you have that, you can do any­thing you want. You can get all the data. You can get all the files. So a lot of these attacks that are going at the cloud apps are all about try­ing to get somebody’s user­name and pass­word.”

These fresh hack­ing oppor­tu­ni­ties are being pre­sent­ed not just by Google, but by each and every one of the most pop­u­lar cloud-based email, pro­duc­tiv­i­ty tools, file shar­ing and cus­tomer-rela­tion­ship tools.

Office365, Drop­box, Sales­force, all of these apps are very, very con­ve­nient and have a lot of great busi­ness util­i­ty,” Andrews says. “But there is this kind of lurk­ing con­cern. You don’t real­ly know if your company’s data is safe. You don’t know if oth­er peo­ple can get to it. This move to the cloud real­ly has a fun­da­men­tal rip­ple effect through all secu­ri­ty func­tions.”

Gmail more wide­ly used

In the case of abus­ing Google’s ser­vices, cyber crim­i­nals are tak­ing advan­tage of the fact that Gmail has become a de-fac­to back­up email through­out the busi­ness world. It is wide­ly used by well-inten­tioned work­ers, in com­pa­nies of all sizes, who are hus­tling to work more pro­duc­tive­ly.

No one is sur­prised any­more to receive an email from the pri­vate Gmail account of a super­vi­sor, col­league, part­ner or customer—or even an admin­is­tra­tive mes­sage from Google. A trust lev­el exists. And this cre­ates a per­fect envi­ron­ment for spoof­ing.

Like­wise, free or cheap Google Dri­ve file stor­age makes for a per­fect repos­i­to­ry to set up phish­ing attacks and dis­trib­ute mali­cious web links.

In a case recent­ly dis­sect­ed by Elas­ti­ca, the bad guys sent phish­ing emails out to vic­tims who they guessed would have an inter­est in con­tro­ver­sies sur­round­ing Tibet’s Dalai Lama. The entice­ment: click to a link to a cor­rupt­ed Pow­er­Point pre­sen­ta­tion host­ed on Google Dri­ve.

Aditya Sood, Elastica Cloud Threat Labs' chief architect
Aditya Sood, Elas­ti­ca Cloud Threat Labs’ chief archi­tect

Aditya Sood, chief archi­tect at Elastica’s Cloud Threat Labs, describes how the social engi­neer­ing aspect of the attack then unfolds:

There are no attach­ments in the email. Basi­cal­ly, it’s just a direct link to the Google cloud ser­vice, which hosts the Pow­er­Point pre­sen­ta­tion. When the user retrieves that link, the user won’t be able to view this Pow­er­Point pre­sen­ta­tion. So the user then is going to down­load that file onto the local machine. Once the user opens it on his local machine, the Pow­er­Point pre­sen­ta­tion actu­al­ly extracts two files. One, the INF file, con­tains a launch code for the sec­ond, a GIF file. The GIF file down­loads mal­ware to the end user sys­tem.”

Gmail and Google Dri­ve are pow­er­ful, flex­i­ble, reli­able, easy-to-use and free. Yet, it turns out that these are the very char­ac­ter­is­tics that make them ide­al tools for cyber crim­i­nals to infect com­put­ers. In essence, the bad guys are sim­ply adopt­ing infec­tion-tech­niques that proved high­ly effec­tive in the desk­top envi­ron­ment to new oppor­tu­ni­ties pre­sent­ing them­selves in the cloud envi­ron­ment.

These bad guys no longer have to trou­ble them­selves with cre­at­ing mali­cious email attach­ments, nor do they have to wor­ry as much about spread­ing taint­ed Web links that can be quick­ly detect­ed and black­list­ed. And as long as the trust lev­el remains high in Gmail, Google Dri­ve, Office 365, Sales­force and oth­er top cloud ser­vices, social engine trick­ery remains eas­i­er than it real­ly ought to be.

Attack­ers don’t have to invest too much time or mon­ey in gain­ing cre­den­tials or com­pro­mis­ing servers to attack peo­ple,” Sood says. “They sim­ply cre­ate one Gmail account and then, basi­cal­ly, abuse the Google pub­lish­ing func­tion­al­i­ty.”

More sto­ries relat­ed to mobile apps and cloud secu­ri­ty:
Mobile dat­ing apps come with hid­den haz­ards
Spikes Secu­ri­ty iso­lates mal­ware, keeps it from hijack­ing Web browsers
Hack­ers dig deep­er, use net­work tools to do their dirty work