Check Point researchers have uncovered a new phishing campaign that abuses Google Docs to distribute illegal URLs in order to steal victims’ cryptocurrency credentials.

According to a research report authored by Jeremy Fuchs, a cybersecurity researcher and analyst at Check Point Software and shared on Hackread.com, Google Docs are the latest attack vector used by phishers to redirect users to credential harvesting sites.

Hackers Abuse Google Docs Service to Distribute Malicious URLs

Check Point researchers observed that legitimate Google Docs services, such as Google Docs’ email, pages, and commenting features, were being abused to send malicious messages and URLs. This demonstrates the evolving nature of business email compromise (BEC) campaigns.

Dubbing the campaign “BEC 3.0,” the researchers wrote that using a legitimate site averts suspicion, making it easier for attackers to successfully phish. In an attack analyzed by the Check Points team, hackers sent links redirecting to fake cryptocurrency sites.

How do attacks occur?

The attack begins by creating a Google document that is emailed directly to the user from this address [email protected]. By clicking on the link contained in the email, the user is redirected to her legitimate Google Docs page (presumably his OneDrive fake page), where the user is tricked into visiting a fake cryptocurrency page. This page was later removed. Google was notified of these findings on July 5, 2023.

Fake emails and OneDrive links (Image: CPR)

The abuse of Google Documents services shows that hackers are continuously improving their phishing tactics, especially in BEC. BEC 3.0 removes much of the uncertainty that has long existed among hackers by not requiring the download of malicious files or software. Today, only user response or involvement is required to collect cryptocurrency credentials and steal funds.

BEC 3.0 removes some of that uncertainty. Successful BEC requires the best standard link or attachment-based phishing with social engineering. It relies on Google, which we all trust, and the process of getting shared documents from Google Docs, Fuchs said.

Note that there is nothing wrong with Google Docs. This is how scammers abuse email protocols for profit considering Google cannot be blocked. Therefore, the best course of action is to use AI-powered security mechanisms to simultaneously track all phishing indicators, use a full-suite security program, and implement robust URL security so that all documents, files, and web pages are scanned immediately.

