Menace actors are abusing the ‘Google Apps Script’ growth platform to host phishing pages that seem reputable and steal login credentials.
This new pattern was noticed by safety researchers at Cofense, who warn that the fraudulent login window is “rigorously designed to appear to be a reputable login display.”
“The assault makes use of an electronic mail masquerading as an bill, containing a hyperlink to a webpage that makes use of Google Apps Script, a growth platform built-in throughout Google’s suite of merchandise,” Cofense explains.
“By internet hosting the phishing web page inside Google’s trusted atmosphere, attackers create an phantasm of authenticity. This makes it simpler to trick recipients into handing over delicate info.”
Respectable service abuse
Google Apps Script is a JavaScript-based cloud scripting platform from Google that permits customers to automate duties and prolong the performance of Google Workspace merchandise like Google Sheets, Docs, Drive, Gmail, and Calendar.
These scripts run on a trusted Google area below “script.google.com,” which is on the allowlist of most safety merchandise.
Attackers write a Google Apps Script that shows a faux login web page to seize the credentials victims enter. The information is exfiltrated to the attacker’s server through a hidden request.
Phishing web page hosted on Google infrastructure
Supply: Cofense
Because the platform permits anybody with an account to publish a script as a public internet app, giving it a Google area, the menace actors can simply share it with the victims through a phishing electronic mail that gained’t set off any warnings.
The phishing electronic mail accommodates an bill fee or tax-related name to motion for the recipient, linking to the malicious Google-hosted phishing web page.
.jpg)
Pattern of a phishing electronic mail used within the assaults
Supply: Cofense
After the sufferer enters their username and password, they’re redirected to the reputable service that was spoofed to decrease suspicion and provides menace actors time to use the stolen knowledge.
Google Apps Script seems to be the brand new focus of phishing actors that search for reputable platforms to abuse for evasion and operational effectivity.
On this case, it additionally offers the attackers the flexibleness to remotely alter their script with out having to resend a brand new hyperlink, switching to a distinct lure with out a lot effort.
An efficient protection measure could be to configure electronic mail safety to scrutinize cloud service hyperlinks and, if potential, block entry to Google Apps Script URLs altogether, or at the very least flag them as doubtlessly harmful.
BleepingComputer has contacted Google to ask in the event that they plan to implement any anti-abuse measures in response to Cofense’s findings, however we have now not heard again as of publication.
Handbook patching is outdated. It is sluggish, error-prone, and difficult to scale.
Be a part of Kandji + Tines on June 4 to see why previous strategies fall quick. See real-world examples of how trendy groups use automation to patch sooner, minimize danger, keep compliant, and skip the advanced scripts.
