Menace actors are abusing the ‘Google Apps Script’ growth platform to host phishing pages that seem professional and steal login credentials.
This new pattern was noticed by safety researchers at Cofense, who warn that the fraudulent login window is “fastidiously designed to seem like a professional login display.”
“The assault makes use of an e mail masquerading as an bill, containing a hyperlink to a webpage that makes use of Google Apps Script, a growth platform built-in throughout Google’s suite of merchandise,” Cofense explains.
“By internet hosting the phishing web page inside Google’s trusted surroundings, attackers create an phantasm of authenticity. This makes it simpler to trick recipients into handing over delicate data.”
Respectable service abuse
Google Apps Script is a JavaScript-based cloud scripting platform from Google that enables customers to automate duties and prolong the performance of Google Workspace merchandise like Google Sheets, Docs, Drive, Gmail, and Calendar.
These scripts run on a trusted Google area below “script.google.com,” which is on the allowlist of most safety merchandise.
Attackers write a Google Apps Script that shows a faux login web page to seize the credentials victims enter. The information is exfiltrated to the attacker’s server by way of a hidden request.
Supply: Cofense
Because the platform permits anybody with an account to publish a script as a public net app, giving it a Google area, the risk actors can simply share it with the victims by way of a phishing e mail that gained’t set off any warnings.
The phishing e mail accommodates an bill cost or tax-related name to motion for the recipient, linking to the malicious Google-hosted phishing web page.
.jpg)
Supply: Cofense
After the sufferer enters their username and password, they’re redirected to the professional service that was spoofed to decrease suspicion and provides risk actors time to take advantage of the stolen information.
Google Apps Script seems to be the brand new focus of phishing actors that search for professional platforms to abuse for evasion and operational effectivity.
On this case, it additionally provides the attackers the flexibleness to remotely alter their script with out having to resend a brand new hyperlink, switching to a special lure with out a lot effort.
An efficient protection measure can be to configure e mail safety to scrutinize cloud service hyperlinks and, if doable, block entry to Google Apps Script URLs altogether, or no less than flag them as probably harmful.
BleepingComputer has contacted Google to ask in the event that they plan to implement any anti-abuse measures in response to Cofense’s findings, however now we have not heard again as of publication.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and the best way to defend in opposition to them.
