How Scammers Use Google for Business Email Compromise | Tech Security
Several companies have made online productivity solutions like G Suite from Google the preferred option for business computing. It’s incredibly convenient and usually inexpensive for anyone from solo operations through large enterprises to replace physical machines and all the maintenance that comes with the territory with options like Gmail and other web-based tools. Yet services like Google are regularly exploited by scammers.
Google’s prominence in the software market as both a SaaS (software as a service) and PaaS (platform as a service) is a kind of double-edged sword – because it’s both accessible and familiar, it can be dangerous. We’ll explore how attacks utilizing Google services deceive us, beginning with how we think.
Why is Google used over some less familiar brand?
One of the first reasons Google-based attacks work better compared to attacks utilizing a less recognizable brand is because of we how we perceive the name “Google” itself. Unless you’re wearing a tinfoil-hat and sending carrier pigeons to avoid being watched by Big Brother, a la George Orwell’s 1984, you probably see Google as a kind of “good guy.”
Psychologically, trust plays a huge role in most of our actions, affecting the relationships we form, including those with non-living entities. In consumer psychology, the average consumer relationship with Google can be described as a case where we use low-cognition because of the brand’s familiarity, meaning our minds elaborate less on how we feel about the brand each time we see it stamped on something, ultimately sustaining the general attitude attributed to the family of services (Loken 2006).
Without going into a whole marketing exploratory, the Google brand has successfully fulfilled all six basic principles of persuasion (Cialdini & Goldstein 2002) with respect to the overall consumer relationship with the brand, essentially providing scammers a “built-in” opportunity to exploit services.
Overview of how scams work in Gmail
Gmail doesn’t offer any real advantage for a scam that competitor’s like Yahoo, Hotmail, Zoho, or others, might lack. The main advantage Google provides a scammer is the Gmail name, at least when configured as a personal email. Of course, when an attacker links a domain to Gmail, you won’t see the Google name unless you manually inspect elements in the email header.
A domain name from a sender is good enough for a human reader (and some machines) to trust, which is exactly why other tools are used to validate communications. Google and other providers include underlying authentication mechanisms, either SPF or DKIM, to validate sender identities.
The process itself is far too complex to explain here; however, if you’d like to learn more, this blog does a great job explaining the process in simple English. In the example above, you can see where the email was signed before it sent. This is the first step in getting an email – especially if it’s unsolicited – into someone’s inbox. Having just ordered a pizza from Domino’s, I can be reasonably certain this email is legitimate, though it is concerning that the company doesn’t encrypt their email.
The thing is, a valid signature doesn’t mean a communication isn’t spam or a phishing attempt. It simply means the sender is either sending a message where this mechanism is either automatic, like a personal Gmail, or they’ve added a DKIM signature to their system.
Attackers will typically follow all the correct protocol with an email account prior to launching a phishing campaign, circumventing this whole process for a brief time, which greatly increases the likelihood of a successful zero-day attack. Only after these attacks are reported will security databases update with this information and either facilitate blocking these messages or directing them to spam.
Using other Google Tools to Launch Attacks
The Google empire has produced several useful tools that appeal to everyone – including attackers. Attacks using these hosted apps are typically more elaborate than sophisticated phishing schemes relying solely on email. Attackers may use other Google services to hide in plain sight until an attack is launched.
Google Drive and G Suite Apps
For the most part, Google does a decent job of making sure that it’s services are used as intended. As a scammer, you can’t simply upload a well-known exploit to Google Drive and send out a link hoping someone will haphazardly open it. Google puts a stop to known attacks; however, it won’t always recognize brand-new malicious code.
This is how one of the most damaging ransomware distribution efforts from recent times originated. The ShurL0ckr zero-day malware was hosted on Google Drive, where it remained undetected until it was officially launched. Alarmingly, this malware’s discovery shows a much more concerning problem, as 44 percent of other cloud-based systems assessed during this research effort were found to host some form of malicious code.
Just last year, a similar phishing scam targeted Gmail users where an innocuous link to a Google Doc was distributed to several users in an email campaign. Those who followed the link and accepted permissions were infected with a worm that gained access to the user’s contacts, which it used to spread further by sending even more messages to the addresses it discovered. It was eventually caught by Google but not before it collected a presumably astronomical number of email addresses, plus copious amounts of data it scraped from the inboxes of each user who happened to open the link.
Google Apps and the Play Store
Google typically does a good job of protecting its software distribution platforms, the Play Store and Chrome Web Store, where an average user should be able to download an application and be reasonably sure that it won’t wreak havoc.
Unfortunately, everything in today and tomorrow’s plans for the BEC arsenal are deviously clever. In one case, strings of convoluted code were hidden in Google Apps Scripts and hosted on Google Drive, staying under the radar. By remaining undetected for a length of time, attackers buy time to refine attacks that exploit services like the Google Doc scam mentioned in the previous section.
The same underlying method of inserting obscure code into another application is how detection systems on both the user end and Google servers failed to identify a Trojan packaged with another app. Once the “safe” program install, a malicious program followed where it encrypted user data, alerting them with poorly constructed message that demanded payment in Bitcoin. Interestingly, the attack was constructed well enough but didn’t affect many users, leading security professionals to believe it was a kind of dress rehearsal for a bigger cabaret.
Securing Your Business Email
The time for smarter email protection is upon us and actually has been for some time. If you’re hypervigilant about looking through every little detail of your email and ensuring all employees do the same, you’ll reduce the chances of being affected by an attack.
Of course, this is easier said than done. Fortunately, thanks to advances in machine learning and AI, there are solutions that can protect you. Until you’ve found a solution that you’re confident will protect your business, it’s best to err on the side of caution.
Loken, Barbara. (2006). Consumer Psychology: Categorization, Inferences, Affect, and Persuasion. Annu. Rev. Psychol. Vol. 57. 453 – 85.
Cialdini, R. & Goldstein, N. (2002). The Science and Practice of Persuasion. Cornell Hotel and Restaurant Administration Quarterly. Vol. 43, No. 2. 40 – 50.
About the Author: Andrew B. Goldberg is Chief Scientist at Inky Email Protection, an enterprise communications security platform, working to protect corporate email from new breeds of sophisticated phishing attacks. You can follow Inky on Twitter and Facebook.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.