New whaling and phishing techniques include weaponising Google Docs
New whaling and phishing techniques include weaponising Google Docs

2018 is set to see a continuing rise in orchestrated cyber-attacks as organised criminals groups (OCGs) develop increasingly cunning and sophisticated ‘whaling' and ‘phishing' attacks.


‘Whaling', the targetting of executives and key members of staff is becoming increasingly common  difficult to detect as OCGs identify new attack vectors. One example of a new vulnerability potentially affecting organisations across the board, is the weaponisation of Google Drive documents and spreadsheets.


Google offers a suite of web-based office applications as part of its Google Drive service. These applications include ‘Docs' for word-processing, ‘Sheets' for spreadsheets and ‘Slides' for presentations. While these allow users to create, view and modify them through an online interface, they can also be ‘weaponised' as part of a phishing attack. Using a weaponised Google spreadsheet hosted on Google's platform, a remote HTML page will open which mimics the Google sign-in process and gives the impression that the victim needs to re-authenticate. This, coupled with the delivery of a legitimate invitation to the weaponised document via Google's sharing features, provides an effective method of phishing Google credentials from G-suite users.


A further advantage to this attack is that the threat actor can share the weaponised file using Google's native sharing capabilities. This results in a legitimate ‘lure' being sent from Google's infrastructure encouraging the victim to access the document. Given that this ‘lure' contains a legitimate URL and is from a reputable sender, any email-based security gateway is unlikely to filter or quarantine the content as ‘phishing'. Given that the original ‘invitation to edit' email includes the name and profile picture of the accounts used to create the phish, the threat actor would likely use something that appears convincing to the intended victim recipient. For example, the cyber-criminal may masquerade as a legitimate customer or supplier to avoid suspicion.


This method of attack could also be combined with some basic social engineering techniques to entice a potential victim to authorise additional permissions or enable popups to allow additional payloads to be executed. OCGs are now becoming increasingly adept at combining a number of phishing techniques to target executives and key staff members more effectively.


The increasing use of social media by professionals and corporates is now proving to be a potential goldmine for many of the OCGs. Social engineers manipulate social media to provide enough personal data on key individuals in targeted organisations to perpetrate carefully orchestrated frauds across a wide variety of sectors. Social media has changed the way organisations of all types and sizes are conducting communications and is an increasingly preferred vehicle for many organisations to interact with internal and external stakeholders.


Some companies now use social media tools and ‘big data' platforms to build brands and communities which can engage customers in regular feedback dialogues. Technical support staff also frequently use Twitter as a platform to discuss technical issues in real time. Human Resources departments also frequently trawl LinkedIn profiles to search for suitable candidates. Although most cyber-savvy organisations now deploy filters that can be effective in blocking emails with weaponised links, this provides no defence against the growing proportion of executives who freely open links in Twitter, Facebook or LinkedIn. With a modicum of background research and social engineering, these links can be weaponised while being made to appear to come from a trusted source, at least at first glance.


And OCGs are becoming increasingly adept a disguising links in such as way as to con all but the most cautious users. Most staff members are, for example, easily enticed by a seemingly bona fide offer of a lucrative post at another organisation and would be tempted to click on a link that appeared to take them to a website detailing their ‘new job offer'.


International OCGs are also increasingly adept at harvesting executives' personal data posted on social networks in order to orchestrate sophisticated phishing and whaling attacks. According to the US Federal Bureau of Investigation (FBI), criminals are using data posted on social networking websites to garner information on individuals who have been targeted for 'spear phishing' attacks targeting multiple industry sectors.


To protect themselves against increasingly sophisticated phishing and whaling attacks, companies must start to extend their cyber-security well beyond traditional perimeters to encompass increasingly dangerous areas such as social networks and third-party software providers.


Contributed by Elad Ben-Meir, vice-president, CyberInt.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.