back to article Be wary of emails with links to ... er, Google Drive? Is that right?

Spammers are increasingly turning to common file-sharing and object storage services such as Google Drive and Microsoft Azure, in an attempt to evade ever-better corporate filters. "Embedding links to trusted services helps attackers bypass traditional content filters, such as spam filters, which might otherwise block the …

  1. Anonymous Coward
    Anonymous Coward

    Scam the scammers ... ?

    (Unless we already are ....)

    Once these vectors are detected, can't we arrange to flood them with millions of logins and password (or whatever they are looking for) and let them wear themselves out ?

    Now there's an open source project to get behind. Instead of clicking on Googly images for a "I'm not a robot" CAPTCHA, why not have a form which submits some fake details to the bad boys ????

    1. Crazy Operations Guy Silver badge

      Re: Scam the scammers ... ?

      Because then Google will sue you for attempting to break into their stuff since you'll be flinging all that data at their equipment.

      These attacks are leveraging scripting capabilities with the provider so you are duped out of your information without ever touching a suspicious domain. Like the Google Drive attack will point you to a series of phishing pages hosted on a public-facing Google Drive and store the retrieved data into Google Docs. On AWS, the pages are hosted on S3 buckets and data is stored into another.

      The point is that the victim never comes in contact with a domain that anti-malware tools wouldn't flag and/or very unlikely to be blocked in an organization. The other side of it is that loading up webpages and having people submit data to a Google Forms document aren't exactly unusually use cases for these services and are going to go unnoticed by Google / Amazon / Etc.

    2. VikiAi Silver badge
      Happy

      Re: Scam the scammers ... ?

      Someone is already scamming them, I think. I always get two copies of scam emails arriving one shortly after the other. I suspect whoever is selling them the email address list has been duplicating entries to bulk up the size of their list and charge more for it.

      Or maybe I am just twice as important as everybody else? :-)

  2. JohnFen Silver badge

    Standard practice

    The standard advice of never opening attachments that you weren't expecting applies just as much to any files stored in the cloud. After all, the only difference between the two is where the file is stored. This is not new -- it should have been part of everyone's regular security spiel from day 1.

    1. a_yank_lurker Silver badge

      Re: Standard practice

      Agreed, never click on an unexpected file or link from any source should be hammered into everyone's head. Social engineering is the most effective way to bypass any security measures.

    2. Crazy Operations Guy Silver badge

      Re: Standard practice

      Unfortunately that wouldn't work for a lot of organizations that are using Google Drive to store information. Just this morning I had to submit a couple inventory reports by filling out a form hosted on the company's Google Docs pages. HR also regularly sends out announcements by sharing a link to Google Docs.

      I've worked with a dozen or so organizations like this and I doubt I just got lucky and hit the few orgs that work that way.

      And, really, the only way to tell the difference between a legitimate google docs attachment and one from scammers is by looking at the UUID embedded in the link URL and checking to see if it matches the UUID assigned to a legitimate user. Which also assumes that the user hasn't had their UUID changed due to be moved to a different version of the service or some other random action that caused it to change.

      Really, the issue here is that instead of the attack purporting to be from hr.internal.company.com but coming from hr.internal.company.com-totally-legit-url.ru. It is now purporting to come from drive.google.com/1234-abcdef0-7894-ac43-12fc390/docs/files/ but really coming from drive.google.com/4567-ffecba12-23e4-23fa-bcce12f/docs/files

      1. Doctor Syntax Silver badge

        Re: Standard practice

        "HR also regularly sends out announcements by sharing a link to Google Docs."

        HR and marketing - the weakest points in any organisation*. They'll only send out this crap indistinguishable from phishing if they don't know what's wrong with them and if they don't know what's wrong with them they'll have know inhibitions in falling for incoming.

        * Apart from senior management, of course.

      2. JohnFen Silver badge

        Re: Standard practice

        You're right.

        This is one of the main reasons why companies shouldn't use Google Drive or the like for this sort of thing at all.

        But it could be done in a more secure way. Instead of sending the link provided by the cloud service, set up a redirect so that the link that is actually sent is to the company's domain name. So the link may read "https://my.company.files/file1", but it will get redirected to the cloudy link.

        1. Charles 9 Silver badge

          Re: Standard practice

          But then the company's website gets hacked and used to social-engineer malware links contained within the hacked company server.

          At some point, hackers can jump through every hoop legitimate links can, and you soon end up with a perfect imposter, at which point you must either live with it or get off the Internet.

          1. JohnFen Silver badge

            Re: Standard practice

            Yes, but that's a problem that exists anyway, and is easier to deal with.

            1. Charles 9 Silver badge

              Re: Standard practice

              Not necessarily. Internal hacking can enlist the help of corrupt insiders, making the problem intractable once you get to a certain degree of paranoia.

    3. Shadowmanx2012
      Thumb Up

      Re: Standard practice

      "This is not new -- it should have been part of everyone's regular security spiel from day 1."

      Yep, practised here and repeated at regular intervals.

    4. amanfromMars 1 Silver badge

      Re: Standard practice ....... Screwed if you do, FCUKed if you don't

      Following unquestioningly the standard advice of never opening attachments that you weren't expecting surely results in displays of psychosis with the delusional paranoid schizophrenic obsessing over that which they have no knowledge of, but which they fear and are terrified of being in the hands, hearts and minds of others in either the opposition or competition.

      And has one always playing second fiddle to subsequent main actions which you missed by taking heed of standard advice.

      What it also encourages is the free spontaneous public sharing of extremely sensitive information in a series of zeroday type postings which easily exploit the standard advice vulnerability, for that is what it is become.

      Pretty soon, whenever you're looking for and expecting there to be a whole host of smarter folk in the room, they'll be suddenly forced to contact you if they are to remain in any way future relevant.

      And ..... being overtaken by events and ending up being popularly viewed as both impotent and unintelligent is also the fate to be suffered by that which and those who fail to make contact whenever they really should.

      IT really is an AI Mined Mind Field out there in which one cannot Lose, Win or Win Win without Playing and Taking Part in a Role..... with an Almighty Few Leading All Others Following?

  3. Anonymous Coward
    Anonymous Coward

    Public shares

    We have always blocked public shares (by classification). The use of google docs, dropbox and such for hosting malware is old, now the thing is redirects, same pony similar trick.

    Redirects as attempts to bypass web filters (takes longer for service providers to build list) does work for the miscreants, but not if people can't get to the first stage :)

    I get challenged by users and managers to open them up, but always have fresh examples like this story to say NO. We have our own portal, so there is no need for using free, mystery storage. lol, new name for public cloud - Mystery Storage.

    1. VikiAi Silver badge
      Happy

      Re: Public shares

      All sing:

      The magical mystery storage

      will take all your data away.....

      :-)

    2. 0laf Silver badge

      Re: Public shares

      We block 'em but I'm forced to open them up for many users. We don't have a facility to receive large files and no one will pay for one. As long as I'm forced to open up Dropbox etc then the problem goes away for them. also this is driven by external parties who want tot use the free file transfer service of their choice and damned if we don't. To get the stuff (much of it we can't ignore) we have to allow access.

      1. Is It Me

        Re: Public shares

        Why not look at the NextCloud/OwnCloud options? You can self host at no cost, or host on externally on a VPS for very little cost.

      2. Anonymous Coward
        Anonymous Coward

        Re: Public shares

        Olaf, it may not be effective, but you could show them the cost of a single storage, that is password protected, and the cost of 2-5 days shut down and rebuilding the environment... and ask them to choose one. I found that management likes $ options to compare.

        At least "you" are looking out for the company, even if management is to stupid to. It's not like there isn't a gazillion examples out there to say $20-$100 a month that will get written off in the budget is a lot cheaper than making the news for being hacked due to poor management. Or don't say anything and show them our comments.

        Good luck.

  4. Walter Bishop Silver badge
    Terminator

    Evading traditional content filters

    "Embedding links to trusted services helps attackers bypass traditional content filters, such as spam filters, which might otherwise block the scams .. The attack vector is simple: the victim receives an email or SMS with bait text encouraging them to click a link to one of the popular sites"

    There's your problem, what these corporate innovators need to do is simple, invent a computer that can't be compromised by clicking on a link!

    1. Yet Another Anonymous coward Silver badge

      Re: Evading traditional content filters

      >, invent a computer that can't be compromised by clicking on a link!

      Like the special iPads we give management with the two trackwheels that can be only be erased by shaking them?

      1. Anonymous Coward
        Anonymous Coward

        Re: Evading traditional content filters

        Oh? One of them managed to get the back open, bricking it and raising hell with IT for sending him a vulnerable tablet and threatened to fire the lot of them (and because he was C-suite, he could).

        1. bpfh Bronze badge
          Flame

          Re: Evading traditional content filters

          So the next one has a flyback transformer and lots of bare conductors inside - IT can't take responsability once manglement has removed the 'do not remove' security stickers

  5. Walter Bishop Silver badge
    IT Angle

    The right projects for the technology

    "Supply chain blockchain projects.. have remained pilot projects due to .. the market to experience blockchain fatigue"

    In other words it was oversold ..

    analysts blamed the difficulty in identifying the right projects for the technology

    Currently the only right projects are online blockchain exchanges, where the cryptocurrencies increase in value through multiple trading. As such the best investment strategy is to buy early and then get out before the bubble bursts. That or run your own online blockchain exchange.

  6. Cuddles Silver badge

    Trusted services?

    Why would anyone trust something like Google Drive? The whole point is that it's a place where literally anyone can put anything at zero cost. That's like trusting the content of all letters just because you trust the postman to deliver them.

    1. DropBear Silver badge
      Flame

      Re: Trusted services?

      Except _not_ trusting them effectively equals total failure of the postal system to continue your example, because opening the envelope is fatal and there are no means left to distinguish good from bad without opening it.

      Observed strictly, only looking at something I "expect" and/or coming from a known sender wouldn't even work for me, and my traffic is truly modest - I still occasionally receive things I didn't expect from people I don't personally know I would still not want to miss; for anyone whose job involves keeping in touch with random other people that would be a flat-out hopeless proposition.

      When not even the origin of a link can tell good from bad (and what with one-letter misspellings and unicode doppelgangers in URLs, and javascript snippets replacing links on the fly we're well and truly far past that point already, even without this latest crap) the only thing left to do, as a fellow commentard noted, is to make a damn box that is incapable* of getting pwned by opening and displaying what should strictly be a piece of non-executable data.

      * It might require having to abandon 90% of current hardware and software computing architecture paradigms but I'd sure as hell would be game for trying...

  7. Barry Rueger Silver badge

    Relax, and just wait

    It's Google. There's at least an even chance that in a year or two they'll just abandon, then shut down, Google Docs and replace it with The Next Big Thing.

  8. DCFusor Silver badge
    Happy

    I feel left out!

    No one sends me funny links anymore. No one loves me, I think I'll just go off and be depressed....

    But if they did, I'd use something like a raspberry pi to check them out, one that couldn't mount anything else on my LAN and doesn't share anything.

    Maybe there's a way to do it as a guest on a chromebook? The laptop equivalent of a burner?

    I'd look into it more if it actually was happening to me, but it seems the spam filters I've erected along with others by my email service have pretty much wiped that whole mess out - been a really long time since I saw any mail I didn't sign up for - and some spammy newsletters I did sign up for now are auto-directed to the circular bit bin before I even see them.

    I'd hate to mention that hated "G" mail service that manages this. But they do. Sure, they read my mail. With any luck, it bores them to the point of creating excess turnover even in their machines. Easier and more entertaining to scan my website, explicitly allowed in robots.txt - the good stuff goes there anyway.

    Or maybe I'm just a non-entity as far as the phishers know...heh, and that's fine with me. What they don't know won't hurt me - or make me a target.

  9. holmegm

    Er

    Er, so we shouldn't trust random links to someone else's file? Well, yes, that's true.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019