Some 500 million people use Gmail and Google Drive. I’m one of them.
Gmail and Google Drive are wonderful for communicating and collaborating. But it turns out they’re also ideal tools for hacking into your computing device.
Bad guys on the cutting edge have discovered this. And their success so far indicates attacks manipulating Google’s productivity platform-and similarly exploiting other popular cloud-based business tools-are destined to progress.
This development should not come as a big surprise. Cyber criminals are quick to recognize fresh opportunities created by our headlong rush to use cloud services and mobile devices without giving due consideration to security and privacy.
Intelligence about the latest iteration of hacking comes courtesy of security startup Elastica.
Flying under the radar
Researchers at Elastica this summer discovered scammers using Gmail accounts to send messages crafted to fool recipients into downloading corrupted PowerPoint presentations stored on Google Drive. Scammerswere thus able to slip the malicious PowerPoint file past malware detection filters.
Another tactic discovered by Elastica involved scammers opening free Gmail accounts from which they sent out spoofed messages tricking recipients into visiting a website they controlled that was hosted on Google’s own servers. Because the bad guys’ website was hosted on Google servers, it was deemed trustworthy, making it easier for them to trick visitors into divulging account logons.
Any hacker can tell you that once you get someone to download a corrupted file, or get them to navigate to a website you control, the rest is comparatively easy. At that point, the target is a half-step away from being owned.
Keys to the (data) kingdom
“In the cloud environment, the username and password become all-powerful; almost all these applications use some sort of username and password as a way to get in,” says Eric Andrews, Elastica’s marketing vice president. “Once you have that, you can do anything you want. You can get all the data. You can get all the files. So a lot of these attacks that are going at the cloud apps are all about trying to get somebody’s username and password.”
These fresh hacking opportunities are being presented not just by Google but by each and every one of the most popular cloud-based email, productivity tools, file-sharing and customer-relationship tools.
“Office365, Dropbox, Salesforce, all of these apps are very, very convenient and have a lot of great business utility,” Andrews says. “But there is this kind of lurking concern. You don’t really know if your company’s data is safe. You don’t know if other people can get to it. This move to the cloud really has a fundamental ripple effect through all security functions.”
Gmail more widely used
In abusing Google’s services, cyber criminals are taking advantage of the fact that Gmail has become a de-facto backup email throughout the business world. It is widely used by well-intentioned workers, in companies of all sizes, who are hustling to work more productively.
No one is surprised anymore to receive an email from the private Gmail account of a supervisor, colleague, partner or customer-or even an administrative message from Google. A trust exists. And this creates a perfect environment for spoofing.
Likewise, free or cheap Google Drive file storage makes for a perfect repository to set up phishing attacks and distribute malicious web links.
In a case recently dissected by Elastica, the bad guys sent phishing emails out to victims who they guessed would have an interest in controversies surrounding Tibet’s Dalai Lama. The enticement: Click to a link to a corrupted PowerPoint presentation hosted on Google Drive.
Aditya Sood, chief architect at Elastica’s Cloud Threat Labs, describes how the social engineering aspect of the attack then unfolds:
“There are no attachments in the email. Basically, it’s just a direct link to the Google cloud service, which hosts the PowerPoint presentation. When the user retrieves that link, the user won’t be able to view this PowerPoint presentation. So the user then is going to download that file onto the local machine. Once the user opens it on his local machine, the PowerPoint presentation actually extracts two files. One, the INF file, contains a launch code for the second, a GIF file. The GIF file downloads malware to the end user system.”
Gmail and Google Drive are powerful, flexible, reliable, easy-to-use and free. Yet, it turns out that these are the very characteristics that make them ideal tools for cyber criminals to infect computers. In essence, the bad guys are simply adopting infection-techniques that proved highly effective in the desktop environment to new opportunities presenting themselves in the cloud environment.
These bad guys no longer have to trouble themselves with creating malicious email attachments, nor do they have to worry as much about spreading tainted Web links that can be quickly detected and blacklisted. And as long as the trust remains high in Gmail, Google Drive, Office 365, Salesforce and other top cloud services, social engine trickery remains easier than it really ought to be.
“Attackers don’t have to invest too much time or money in gaining credentials or compromising servers to attack people,” Sood says. “They simply create one Gmail account and then, basically, abuse the Google publishing functionality.”