Brand-impersonation attacks using Googlebrandforms to dupe victims into sharing login credentials are reportedly on the rise.
Barracuda researchers have observed steady detections of spear-phishing campaigns throughout the first part of 2020, and form-based attacks made up 4% of them between January and April. Barracuda expects the number of these attacks to rise too.
In these form-based attacks, scammers are using file and content sharing, and sites like Google Drive and sway.office.com to trick victims into handing over their login credentials. Users typically receive a phishing email containing a link to one of these websites, making this hacking technique difficult to detect for some.
Of the nearly 100,000 form-based attacks detected by Barracuda between Jan. 1, 2020 and April 30, 2020, threat actors used Google file sharing and storage websites in 65% of their attacks. According to Barracuda, that number includes storage.googleapis.com (25%), docs.google.com (23%), storage.cloud.google.com (13%), and drive.google.com (4%).
In comparison, Microsoft brands were used in 13% of attacks. Other brands used include sendgrid.net (10%), mailchimp.com (4%), and formcrafts.com (2%).
According to Barracuda, the three most common tactics used in these form-based and brand-impersonation attacks include:
- Using legitimate sites as intermediaries: By impersonating emails from sites like OneDrive, attackers can lead unsuspecting victims to phishing sites via a legitimate file-sharing site. “The attacker sends an email with a link that leads to a file stored on a site like sway.office.com, for example. The file contains a picture with a link to a phishing site asking for credentials to login,” says Barracuda.
- Crafting online forms geared towards phishing: Attackers create and send an online form that resembles a login page of a legitimate service but is ultimately designed to harvest a user’s credentials.
- Gaining access to accounts without passwords: In this attack, a hacker sends a phishing email containing a link to what appears to be a legitimate login page. This link also contains a request for an app access token. After a user enters their credentials, they are presented a list of app permissions to accept. By accepting these permissions, users give up their password information while also granting the attacker’s app an access token that allows them to use a user’s login credentials.
Fortunately, there are ways users can protect themselves from these brand-impersonation attacks. By using an API-based inbox defense tool, users can prevent phishing emails from entering their inboxes.
Tools such as multi-factor authentication can also protect user accounts from attackers. And as always, keeping up to date on the latest phishing attacks is a worthwhile defense too.
