65% of Form-Based Attacks Involve docs.google.com, drive.google.com, storage.cloud.google.com, and storage.googleapis.com

Are you familiar with the term spear phishing attack? This term defines the type of a cyberattack that, in most cases, exploits email and other e-communication platforms to trick individuals into revealing sensitive information. Most often, login credentials. The cybercriminals behind this kind of cybercriminal activity know very well that their success depends mostly on the believability of the scam. Due to this, they often use well-known names, familiar logos, legitimate-looking email addresses, and other tools to trick less cautious and more gullible individuals. According to a recent study conducted by Barracuda researchers, the reputable name of Google is likely to be exploited by those in the spear phishing game. So, how do you recognize phishing scams and how do you protect yourself against them? Keep reading to find out.

What is a form-based spear phishing attack?

Form-based attacks are also known as brand impersonation attacks. In layman’s terms, cybercriminals introduce themselves as known companies, organizations, individuals, and so on to legitimize their requests. Form-based attacks are used for data theft in most cases, and that means that cybercriminals exploit brands to introduce victims to fake forms that are set up to record login credentials and other kinds of sensitive data. The researchers in the Barracuda study analyzed 100,000 form-based attacks to determine what kinds of brands are exploited most often. Unsurprisingly, Google was ultimate leader. While Microsoft-related spear phishing attacks accounted for 13% of all form-based attacks (the second place), it was found that 65% of all form-based attacks used Google websites to trick people.

The most popularly exploited website was storage.googleapis.com, which accounted for 25% of all attacks. It was followed by docs.google.com at 23%, storage.cloud.google.com at 13%, and drive.google.com at 4%. Other Google-unrelated websites that were often exploited for spear-phishing attacks included onedrive.live.com, sway.office.com, forms.office.com, sendgrid.net, mailchimp.com, and formcrafts.com. Besides collecting statistical data, researchers were also able to identify three main spear-phishing tactics that cybercriminals use to facilitate form-based attacks.

Intermediary websites

Cybercriminals have been found to employ intermediary websites to facilitate form-based attacks. First, they have to create a believable email/message that leads the victim to a legitimate file-sharing website. For example, that could be drive.google.com or onedrive.live.com. If the victim is tricked into doing that, they are most likely to open a file containing a link to a phishing website. If the victim is tricked into doing that, they are likely to be exposed to a form asking for personal information and/or login credentials. What kind of information is requested depends on the attackers’ goals. Perhaps they are only gathering personal data for more advanced scams. Perhaps they are stealing passwords and usernames to perform illicit account takeovers.

Online forms

Cybercriminals can also create misleading forms using legitimate online form services. For example, that could be forms.office.com. According to Barracuda researchers, cybercriminals could create forms that look like normal login pages, and those exposed to them could be tricked into disclosing passwords and usernames without realizing that it is just a form and not an authentic login page. Links to such malicious forms can be sent via email, and because official online form services are recognized as legitimate and trustworthy, your email provider is unlikely to be able to recognize that they were sent by malicious parties. Therefore, it is very important to stay vigilant about all emails; especially the ones that are not automatically placed in the spam folder.

Access token requests

Cybercriminals do not always rely on you revealing passwords and usernames to take over your accounts. It was found that misleading spear-phishing attacks can be used to request access tokens. The email that the attackers send contains a link to a website that mimics a familiar login page. Once the link is clicked, a request for an access token is sent. As defined by auth0.com, an access token is a “token-based authentication to allow an application to access an API.” Basically, once you enter the requested login data, you are asked to accept certain app permissions. If you accept them, the attackers can use their own app to obtain the access token and then use it for logins. It can be difficult to wrap one’s head around this, but it in an ingenious way for cybercriminals to gain access to your accounts.

How to protect yourself against form-based attacks

What this research has reaffirmed is that cybercriminals keep coming up with new ways to fool and scam us. Unfortunately, sometimes they are one step ahead of technology, and that is what makes it possible for them to conduct successful attacks. Of course, careless behavior does not help the situation either. Therefore, it is important to use both advanced solutions and commonsense to protect oneself. Since form-based attacks are used for data theft, it is important to stay vigilant about any emails, requests, and forms that require you to enter login credentials or personal information. Remember that cybercriminals can use intermediary websites to conduct their attacks, and so you have to be cautious about revealing sensitive data even when you are requested to do so via familiar services, such as docs.google.com or drive.google.com.

Organizations, businesses, and companies are advised to invest in technologies that offer machine learning. Unfortunately, form-based attacks have proven that cybercriminals can bypass spam filters, and so it is no longer a good idea to rely on that alone. It is also crucial that both individuals and larger entities employ multi-factor authentication to ensure that cybercriminals are prevented from taking over accounts when passwords are stolen. Speaking of passwords, this is also a time as good as any to strengthen them and ensure that they cannot be guessed or brute-forced, which is still the most common way of obtaining passwords. Thankfully, this issue can be rectified easily with the help of a password manager that can both strengthen and secure passwords. Continue reading here to learn about the key features of Cyclonis Password Manager.

Most importantly, stay vigilant. You do not have to open, interact with, or respond to every email that you receive. Be cautious about what you open, what links you click on, and what information you share. If anything makes you feel uneasy, consult with those that have been trained to deal with scams and cyberattacks. Finally, if you end up being tricked, do not waste any time. Change all passwords, and if you need to, report the incident to the higherups. To learn more about spear-phishing, click HERE.

By Foley
October 9, 2020
October 9, 2020

Leave a Reply