Avanan has warned of an evolution in phishing dubbed Phishing Scams 3.0 using everyday services to send attacks, such as iCloud, PayPal, Google Docs and Fedex.
According to the Check Point company, the method requires no compromise or code, just a free account to infiltrate people’s inboxes.
The firm revealed at least 33,817 email attacks observed in the past two months with iCloud being the most impersonated service. Cybercriminals have also been impersonating PayPal, Google Docs, Sharepoint, Fedex, Intuit, and more.
In such scams, the victim receives an email from a totally legitimate service, such as PayPal or Google Docs, that includes a link to a malicious site.
How Phishing Scams 3.0 Works
- Hacker creates a free account in Paypal (for example).
- Hacker finds email addresses to send to.
- Hacker creates a fake invoice that either says the user has been charged or something is about to renew.
- The hacker clicks send.
By the Numbers
In the past two months of February and March, our researchers have seen a total of 33,817 email attacks, impersonating legitimate, popular firms and services.
According to Jeremy Fuchs, Spokesperson at Avanan, a Check Point company, he says that Business email compromise (BEC) attacks have evolved again.
“A traditional BEC attack relies upon the ability to look like someone with power within a company or a trusted external partner. Later on, attacks shifted to a method in which the attacker compromises an account, belonging to an organization or one of his partner’s organization, and uses it to insert themselves into legitimate email threads, responding as if they were employees,” He says.
Now, we’re seeing something entirely new, where attackers are using actual legitimate services to carry their attack. In such scams, the victim receives an email from a totally legitimate service (e.g. PayPal, Google Docs) which will include a link to a malicious site.
Cyber Safety Tips:
- Use anti-phishing protections
- Educate and train employees
- Separate duties
- Label external emails
Examples:
Here, the hacker has added a comment in Google Sheets. All the hacker has to do is create a free Google account. Then, they can create a Google sheet, and mention the intended target. The recipient gets an email notification.
To the end-user, this is a fairly typical email, especially if they use Google Workspace. (And even if they don’t, it’s typical, as many organizations use Google Workspace and Microsoft 365).
Here is another example, this time using Google Docs.
This comes from a legitimate sender–Google. The URL, which is a script.google.com URL, is also legitimate upon the first scan. That is because that domain is legitimate.
However, when you click on it, it gets redirected to a fake cryptocurrency site. These fake cryptocurrency sites work in a few ways. They can be straight phishingphishing sites, where credentials will be stolen. Or there is a variety of other options, whether it is straight theft or crypto mining.
PayPal impersonation example
SharePoint Impersonation example
Phishing link hosted on SharePoint
In all examples recorded, the email address from which the email was sent looked perfectly legitimate and contained the “correct” addresses, which makes detection and identification much harder for the average user receiving them.