Why is Google used over some less familiar brand?One of the first reasons Google-based attacks work better compared to attacks utilizing a less recognizable brand is because of we how we perceive the name “Google” itself. Unless you’re wearing a tinfoil-hat and sending carrier pigeons to avoid being watched by Big Brother, a la George Orwell’s 1984, you probably see Google as a kind of “good guy.” Psychologically, trust plays a huge role in most of our actions, affecting the relationships we form, including those with non-living entities. In consumer psychology, the average consumer relationship with Google can be described as a case where we use low-cognition because of the brand’s familiarity, meaning our minds elaborate less on how we feel about the brand each time we see it stamped on something, ultimately sustaining the general attitude attributed to the family of services (Loken 2006). Without going into a whole marketing exploratory, the Google brand has successfully fulfilled all six basic principles of persuasion (Cialdini & Goldstein 2002) with respect to the overall consumer relationship with the brand, essentially providing scammers a “built-in” opportunity to exploit services.
Overview of how scams work in GmailGmail doesn’t offer any real advantage for a scam that competitor’s like Yahoo, Hotmail, Zoho, or others, might lack. The main advantage Google provides a scammer is the Gmail name, at least when configured as a personal email. Of course, when an attacker links a domain to Gmail, you won’t see the Google name unless you manually inspect elements in the email header. A domain name from a sender is good enough for a human reader (and some machines) to trust, which is exactly why other tools are used to validate communications. Google and other providers include underlying authentication mechanisms, either SPF or DKIM, to validate sender identities.
Using other Google Tools to Launch AttacksThe Google empire has produced several useful tools that appeal to everyone – including attackers. Attacks using these hosted apps are typically more elaborate than sophisticated phishing schemes relying solely on email. Attackers may use other Google services to hide in plain sight until an attack is launched.
Google Drive and G Suite AppsFor the most part, Google does a decent job of making sure that it’s services are used as intended. As a scammer, you can’t simply upload a well-known exploit to Google Drive and send out a link hoping someone will haphazardly open it. Google puts a stop to known attacks; however, it won’t always recognize brand-new malicious code. This is how one of the most damaging ransomware distribution efforts from recent times originated. The ShurL0ckr zero-day malware was hosted on Google Drive, where it remained undetected until it was officially launched. Alarmingly, this malware’s discovery shows a much more concerning problem, as 44 percent of other cloud-based systems assessed during this research effort were found to host some form of malicious code. Just last year, a similar phishing scam targeted Gmail users where an innocuous link to a Google Doc was distributed to several users in an email campaign. Those who followed the link and accepted permissions were infected with a worm that gained access to the user’s contacts, which it used to spread further by sending even more messages to the addresses it discovered. It was eventually caught by Google but not before it collected a presumably astronomical number of email addresses, plus copious amounts of data it scraped from the inboxes of each user who happened to open the link.
Google Apps and the Play StoreGoogle typically does a good job of protecting its software distribution platforms, the Play Store and Chrome Web Store, where an average user should be able to download an application and be reasonably sure that it won’t wreak havoc. Unfortunately, everything in today and tomorrow’s plans for the BEC arsenal are deviously clever. In one case, strings of convoluted code were hidden in Google Apps Scripts and hosted on Google Drive, staying under the radar. By remaining undetected for a length of time, attackers buy time to refine attacks that exploit services like the Google Doc scam mentioned in the previous section. The same underlying method of inserting obscure code into another application is how detection systems on both the user end and Google servers failed to identify a Trojan packaged with another app. Once the “safe” program install, a malicious program followed where it encrypted user data, alerting them with poorly constructed message that demanded payment in Bitcoin. Interestingly, the attack was constructed well enough but didn’t affect many users, leading security professionals to believe it was a kind of dress rehearsal for a bigger cabaret.
Securing Your Business EmailThe time for smarter email protection is upon us and actually has been for some time. If you’re hypervigilant about looking through every little detail of your email and ensuring all employees do the same, you’ll reduce the chances of being affected by an attack. Of course, this is easier said than done. Fortunately, thanks to advances in machine learning and AI, there are solutions that can protect you. Until you’ve found a solution that you’re confident will protect your business, it’s best to err on the side of caution.
ReferencesLoken, Barbara. (2006). Consumer Psychology: Categorization, Inferences, Affect, and Persuasion. Annu. Rev. Psychol. Vol. 57. 453 – 85. Cialdini, R. & Goldstein, N. (2002). The Science and Practice of Persuasion. Cornell Hotel and Restaurant Administration Quarterly. Vol. 43, No. 2. 40 – 50.