Cybercriminals have found a new playground for their phishing schemes: Google Drive.
A recent flaw in Google Drive’s system is being used as a loophole for hackers to worm their way into people’s devices. And they certainly picked a big target – Google Drive is now used by over one billion people.
The equation of this scheme isn't much different from the threats we usually face. Hackers send a message, unsuspecting people open it and the links inside cause an attack. But because this scam lives in Google Drive, it's slipping more easily under the radar.
Let’s take a closer look at this latest cybersecurity menace.
What's the Scam?
Cybercriminals have continued to perfect their craft as more and more people turned to remote working this year, offering untold opportunity for theft. One of their more efficient scams has been this latest attack on Google Drive.
Hackers create documents in Google Drive and then, thanks to the flaw, they're able to send out push notifications through the Google Drive app. This makes it much more likely that someone will click on it because it looks like invitations you'd typically receive to collaborate on documents.
If they don’t use push notifications, they’ll send an email invitation instead. Most likely, these emails contain malicious links embedded into the message.
Once you open this email or click on this notification, you’re taken to a more recognizable virus-infected website. According to Wired, "one website bombards people with notifications and requests to click on links to deals and prize draws." Some other versions entice you to click on a link to check your bank account or receive a payment.
Why Did Hackers Choose Google Drive?
Google Drive is an appealing host for this type of phishing because it adds a layer of legitimacy. The hackers have found a way to directly send out these notifications through mobile Google Drive apps or the online platform.
Normally, Gmail has a strict filtering program that can easily recognize spam or phishing attempts. But these emails can slip past these filters because it’s from Google Drive itself, which Gmail considers a trusted source. For many businesses, sending Google documents or spreadsheets back and forth for collaboration is a daily occurrence, so it doesn’t raise any red flags.
As for mobile users, if your phone has push notifications enabled for Google Drive, there’s nothing in place to vet that request.
What Signs Should I Look For?
From the outset, this scheme is intended to look legitimate. But if you’re reading your messages carefully, you can avoid this scam before it becomes a threat to your devices.
While this phishing scam can be difficult to identify, there are a few things to look out for:
- The message uses an unrecognized name or broken English: These Gmail accounts are being created and put under fake names that are commonly Russian or spelled in broken English. If you are not anticipating an email or push notification from someone from that name, don't open the message or click on any links.
- The document has been copied repeatedly: Another sign of this scam is that the text has been recently copied into the document or it has many edits. To keep the scam going, the hackers must frequently make new copies of the same text and continuously edit and add new links to lure people.
- There aren’t multiple emails: If you see an email that looks suspicious, don’t interact with it. For some reason, if this is a legitimate person working with you on a document, they’ll more than likely follow up with you in other ways.
How Can My Business Avoid This?
Even if your devices have every anti-virus and malware protection possible, the biggest threat to your device safety is human error. To keep away from threats like this, stay vigilant and take these precautions:
Before Potential Attacks:
- Prioritize security awareness training: By providing cybersecurity training to your employees, you’re significantly lessening the chances that your business will suffer a cyber-attack. Your team will know what to look for and learn to avoid common traps.
- Keep computers updated: Make sure all company computers have updated anti-virus and malware software to identify potential threats. This will prevent those who are unfamiliar with phishing threats from successfully downloading malicious software.
- Ignore suspicious emails or links: A good rule of thumb is not to open any emails from people you don't recognize. In this case, you should also avoid any notifications that appear from any unfamiliar names. If you do open an email by mistake, do not click on any links unless you are positive the sender is someone you know. Even if you know them, if you aren't expecting a link, it's a good idea to check with them before clicking on it.
- Strengthen password protections: Implement a business-wide password policy that includes semi-frequent changing of passwords, uses secure password managers and requires passwords to be complex.
After an Attack
If you have fallen prey to the attack, it is essential to assess the scope of the damage and take immediate action.
- Contact your IT department right away: Pass along pertinent information to your IT team and follow any instructions they provide.
- Find out who clicked on the links: Talk to the person/people who were sent these messages and clicked on the offending link. Get the details of their experience and send out a business-wide note with what to look for.
- Change your passwords: Change all passwords that are connected to the hacked account. If you have used those passwords anywhere else, those will need to be changed as well.
- Check your system protections: Check your internal systems for anything unusual that may have recently appeared there. Use your Antivirus system to scan anything that seems suspicious.
- Find out if other employees received this email: Anyone who has should be instructed to delete the email without clicking on any links.
If you’re feeling exposed to the current cybersecurity threats while working remotely, download our free comprehensive guide to keeping your small business safe and secure online.