The danger actor is misusing the ‘Google Apps Script’ Vikas Manch, which is to host the fishing page that appears valid and steal login credentials.
This new trend was observed by security researchers in Coffee, warning that the fraud login window “is carefully designed to look like a valid login screen.”
“The attack uses an email as an invoice, which contains a link to a webpage that uses the Google Apps script, which is a growth platform integrated into the suite of Google’s products,” Coffeens explains,
“By hosting the fishing page within the reliable environment of Google, the attackers create confusion of authenticity. This makes it easier to hand over sensitive information to the recipients.”
Lawful service abuse
The Google Apps script is a JavaScript-based cloud scripting platform from Google that allows users to automate tasks and expand the functionality of Google work area such as Google Sheets, Doors, Drivers, Drives, Gmail and Calendar.
These scripts run on a reliable Google domain under “Script.google.com”, which is permission for most security products.
The attackers write a Google Apps script that displays a fake login page to record credentials. The data is connected to the attacker’s server through a hidden request.
Source: Cofense
Since the platform allows anyone to publish a script with an account as a public web app, gives it a Google Domain, the danger actor can easily share it through a fishing email with the victims that will not trigger any warnings.
The fishing email consists of an invoice payment or tax-related call for action for the recipient, which is associated with malicious Google-hosted fishing page.
.jpg)
Source: Cofense
After entering his user name and password, they are redirected to the legitimate service that was spoiled for less doubt and gives time to danger actors to take advantage of the stolen data.
Google Apps seems to be a new focus of script fishing actors who seek valid platforms to misuse for theft and operational efficiency.
In this case, it also gives flexibility to the attackers to adjust your script from a distance without sending a new link, switching to a different greed without any effort.
An effective defense remedy must configure email safety to check the cloud service link and if possible, block access to Google Apps script completely, or at least flagged them as potentially dangerous.
Bleepingcomputer has approached Google whether they are planning to implement any opponent misuse measures in response to Cofense’s findings, but we have not heard back as publication.
Based on the analysis of 14M malicious tasks, search for the top 10 MITERAT & CK techniques behind the 93% attacks and how to defend them against them.
