Spammers have been exploiting cloudlike products for years to send spam - think Hotmail or Gmail. But now they're taking greater advantage of cloud computing, employing techniques and traversing avenues we haven't seen before. Among the many cloud services being abused are Google's popular offerings, including Google Docs and Google+. Users and organizations alike need to be aware of these threats and prepare accordingly. Phishers are using Google Docs to trick users in revealing confidential information. This attack method works as follows: Phishers create forms to collect and summarize data in Google Spreadsheets and Docs. These forms, which phishers design to look as though they come from a legitimate third-party domain, such as a bank, provide places for victims to enter personal identification and log-on information. Using built-in form functionality, phishers send email message to a list of prospective targets. The message contains a simple URL linking to the form. One giveaway that you're looking at a potential phishing form and not a trusted site is a URL that takes you to a spreadsheet.google.com address, containing the command word "formkey" at the end, follow by an equal sign and the form's randomly generated identifier link. Often the forms are protected by HTTPS, so it's difficult for organisations to intercept or inspect them. Once a user fills out a form, his or her information is saved to the originator for easy viewing and sharing a detail that spammers especially enjoy. You can find tons of phishing samples by doing an Internet search on the terms "inurl:formkey password site:spreadsheets.google.com," where the term "password" can be replaced by any term you think the phisher may include in the phishing form. Many schools and universities use Google Docs, so these sorts of phishing attacks have disproportionately targeted the educational sector. Even if administrators wanted to block Google Docs spreadsheet forms, they can't. Their schools and businesses are often running on Google Docs, and right now it's difficult to separate the good from the bad. Google includes a Report Abuse link on every displayed form, but it takes time to respond, verify, and deny future access to the form. In that interlude, thousands of more victims may have been tricked into providing their confidential information. The new Google+ service is already being used by spammer. In this case, the criminals aren't using Google's service at all; they are simply crafting very realistic Google+ invitations that, if clicked, will take the unsuspecting victim elsewhere. Part of what makes Google+ frauds easier to pull off is that both the real and fraudulent emails come from no-reply sender email addresses. This means that spammers don't even have to take the additional step of sending from a valid email address. Many readers are probably already aware of these new spamming and phishing attacks, but I bet many others aren't. Consider this your wake-up call that a new attack paradigm is out there, and vendor defenses either aren't in place yet or aren't very sophisticated. Right now, until our traditional antispam and antiphishing tools come up to date on these avenues of attack, we defenders are left with our own homegrown custom protection and end-user education. The phishing war moves on. Are you prepared?
- Free Whitepaper! Learn how to create an analytics environment that is governed, scalable and self-serve.
- Free Whitepaper! Learn how IT is evolving from producer to enabler, and fostering collaboration around analytics.
- Free Whitepaper! The 5 criteria to help you select the right analytics platform for your organization.