Seeing the google.com domain instills trust, which could lead to your password being compromised. Here’s what you need to know.
Cybercriminals will use any, and every means possible to win your trust before going in for the kill. Security researchers at Zimperium have today revealed how that includes leveraging the trust that people have in the google.com domain. Here’s what they found and what you need to do to mitigate your risk of having your password and other credentials stolen.
Abusing Google Forms for credential theft
Zimperium researchers have today published a report which reveals how cybercriminals have used a total of 265 Google Forms, part of Google Docs, while impersonating more than 25 brands, companies and government agencies. This, in itself, is hardly surprising: not only are Google Forms very easy to produce, but they also come with the trust-building advantage of being hosted under the google.com domain. Cybersecurity awareness training teaches users to look out for mistakes or tricks that can betray a scam. Still, when that URL is docs.google.com, it might just fool enough people enough of the time to put password and credential-stealing success in the frame.
Not least, according to the Zimperium report, as “being hosted under a Google domain avoids the detection of reputation-based phishing detectors.” Google is, after all, probably the single most recognizable domain in existence. Throw in a valid security certificate for Google Forms, which pass the browser security test, and these cybercriminals are onto a winner, it seems. Again, cybersecurity awareness teaches us to look for the secure icon, but that’s a mistake as all it actually does is tell you the connection is an encrypted HTTPS one; it does not and cannot indicate malicious intent. Just to add insult to injury, the browser will likely have all google.com domains whitelisted, so there won’t be a deceptive site warning flagged up.
25 brands leveraged by cybercriminals
Zimperium researchers found Google Forms purporting to be connected to various brands, including AT&T T -0.4%, BT Group, Capital One COF +0.2%, Citibank, the IRS, OneDrive, Outlook, Office 365, Swisscom, T-Mobile, Wells Fargo WFC +0.7% and Yahoo. These forms used corporate branding to further instill trust in the recipient, although the mismatch between the supposed sender and the google.com domain should raise some suspicion.
As, indeed, should the fact that the 265 forms that the researchers identified, asking for the submission of user credentials to log in, had a warning at the base stating: “Never submit passwords through Google forms.” That warning is automatically added by Google to every Google Form created. There were other signals that these forms were not legit: the final button saying submit instead of login, password input field not being hidden by asterisks and sensitive text that might get spotted by automatic detection tools (user, password and so on) was replaced with an image. Of course, those who are more technically and cybersecurity aware may spot these; your average user most certainly would not. And it’s the average user that such scams are aimed at.
Email and SMS used to distribute links to malicious Google Forms
Nico Chiaraviglio, vice president of security at Zimperium, and one of the authors of the report along with Santiago Rodriguez, told me that “based on the type of phishing and the information required, these links were most likely distributed by email or text message, tricking the user to update their password.” Chiaraviglio says that it’s likely the attacker’s used prior data breaches to get the contact information, and this could also explain the distribution of targeted brands by these forms.
The links to the Google Forms remained active for several months after being added to public phishing databases, Zimperium found, but all have now been deleted after Google was informed.
“While Zimperium is integrated into Google’s analysis of mobile apps via the App Defense Alliance,” Chiaraviglio says, “we are not as familiar with Google’s detection solutions around phishing. What we can state is Google takes abuse of forms seriously and worked closely with us on removal.”
Google has confirmed to me that it uses proactive measures to prevent solicitation and collecting of sensitive data such as passwords in Forms. These include the automatic detection and blocking of the use of form fields asking for such sensitive or private information, as well as explicitly warning users not to submit passwords in the form.
How to protect yourself from this attack method
“We should not assume that organizations such as Google are going to handle all aspects of security on all of their services,” David Kennefick, product architect at Edgescan, says, “attackers will use complacency to take advantage of any lapse from a security perspective, and users of any system should always be aware of that.”
Boris Cipot, a senior security engineer at Synopsys SNPS +5.2%, told me that while Google could potentially impose stricter policies regarding how such services are used, “this may be difficult to achieve as ensuring compliance may lead them into the dangerous territory of reading and checking every document, which would violate the privacy of millions of Google Doc users.” Cipot suggests that introducing an information leakage prevention algorithm to Google Forms might benefit the user by verifying that they are happy to enter their credentials. “It would also notify the individual who created the form that they have made an unauthorized request for information,” he says.
“Not all phishing attacks are very sophisticated,” Javvad Malik, security awareness advocate at KnowBe4, says, “but in this instance, a Google Form was enough to trick people.” Trying to prevent these by Google adding notifications, or through technological controls can help, he says, “but it forces criminals to move to other services in a seemingly endless game of whack-a-mole.” User awareness and the use of ‘training’ forms should form an essential part of the defense against such attacks, Malik insists. Which means being wary of any and all emails and the links contained within them, especially if personal information is being requested. “When in doubt, people should navigate directly to the site the email is claiming to be from,” Malik says, “logging onto their account, and checking for any notifications.” Enabling two-factor authentication (2FA) can also help, as can using a password manager to minimize the likelihood of password reuse.
Although in the case of Google Forms abuse the google.com domain is leveraged for trust, Malini Gujral, vice president at Acuant, advises readers of Forbes to “match the source website with the brand on the website, URL, logo and process.” This is excellent advice as the chances of a well-known brand serving you up a login screen from a google.com address are so low as to be non-existent.