Fish hook on computer keyboard showing phishing attacks on remote workers

Google-Branded Phishing Attacks Account for 65% of Threats Facing Remote Workers

Remote workers faced a barrage of over 100,000 phishing attacks within four months, mostly involving Google-branded websites, according to a report by Barracuda Networks. The phishing attacks applied a method known as spear phishing to tricks users into disclosing login credentials by impersonating legitimate websites. Google-branded sites accounted for about 65,000 of the attacks making up for 65% of the attacks experienced during the study, while Microsoft-branded impersonation attacks accounted for just 13% of the attacks registered between January 1, 2020, and April 30, 2020.

Distribution of phishing attacks against remote workers

The form-based phishing attacks applied various methods such as using legitimate sites as intermediaries, using online forms for phishing, and getting access to accounts without the use of passwords. Google file-sharing and storage websites accounted for 65% of phishing attacks targeting remote workers within the first four months of the year. These phishing attacks involved the use of Google’s domains, such as storage.googleapis.com (25%), docs.google.com (23%), storage.cloud.google.com (13%), and drive.google.com (4%). Microsoft brands were used in 13% of the attacks, including onedrive.live.com (6%), sway.office.com (4%), and forms.office.com (3%).

Other brands used to target remote workers included sendgrid.net, which contributed to 10% of the phishing attacks. Mailchimp.com and formcrafts.com accounted for 4% and 2%, respectively. Barracuda Networks senior product marketing manager for email, Olseia Klevchuk, said cybercriminals prefer to use Google’s services because they are more accessible and are free to use, thus allowing them to create multiple accounts. She added that the methods that criminals use, such as sending a phishing email with a link to a legitimate site, make it harder to detect these forms of phishing attacks.

Steve Peake, the UK systems engineer for Barracuda Networks, says brand-impersonation spear phishing attacks formed a popular and successful method of harvesting a user’s login credentials. With more people than ever working from home, cybercriminals found an opportunity to flood people’s inboxes with phishing emails. With the advancement of the attacks in recent times, now hackers can even create an online phishing form or page using the guise of legitimate services to trick unsuspecting users.

Impersonating legitimate sites

Criminals impersonate legitimate sites by creating emails that appear to have been generated automatically by file-sharing sites such as Google Drive or OneDrive. The criminals then redirect the remote workers to a phishing site through a file stored on the file-sharing site. These phishing sites then request the users to provide login details to access the content.

To create data forms resembling login pages, criminals are using online forms services provided by companies such as forms.office.com, and send these forms to unsuspecting users. These services trick many users because they reside on the official companies’ domain and hence appear trustworthy. Most users do not realize that companies do not use these domains for login or password recovery. For example, Google does not ask users to log in through docs.google.com but instead uses account.google.com for authentication. For an ordinary user, the difference is too subtle to raise any suspicions.

Accessing accounts without using passwords

Hackers have also applied non-password methods to access user accounts. Users are requested to accept app permission for rogue apps after logging in through legitimate sites. By granting these permissions, the users give the hackers their accounts’ access token, thus allowing them to log in at will. These attacks cannot be prevented by enabling two-factor authentication because the apps are given long-term access to the account. They also remain unnoticed for a long time because users forget which apps they have granted permissions to access their accounts.

Defending against account takeover

Users should be vigilant in detecting suspicious activities on their accounts. Most accounts provide an account history that allows users to view the time and location their accounts were accessed from. Users who identify logins at odd times of the day, different geographical locations, IP addresses, devices, or browsers, should realize that their accounts are possibly compromised.

Enabling two-factor authentication could also prevent hackers from logging into a hacked account even if they have the login details. However, this method cannot prevent app-based login. Users should revoke access to apps they granted permissions to their accounts. These apps are mostly found under “Settings” in the “App Permissions” sections in most online accounts.

Some accounts also provide login notifications by sending an email every time a person logs into the account. Such an email transverses across all devices, thus allowing users to view it even when the hackers delete it from their email inboxes.

Organizations should also educate their employees on online security to help them navigate the complex attack landscape that keeps changing. This training would come in handy, especially for remote workers who are more prone to phishing attacks that try to impersonate the official communication of their employers.

Remote workers are more receptive to emails and are less likely to confirm the purported communication in-person. Additionally, file sharing is widespread among remote workers, and therefore, they are less likely to be suspicious when they receive emails with attachments from file-hosting sites.

Chloé Messdaghi, VP of Strategy at Point3 Security, says attackers prefer to pounce on their victims during specific times when attacks are more likely to be successful.

“Many attackers know that if they want to attack someone specific, it’s more likely to succeed if their initial attacks lands in a target’s email box late at night or early in the morning when they’re not as focused, and when the attacker can most convincingly pretend to be someone else.”

She added that emails with incentives such as work appraisal with a gift card get the attention of most employees.

“One of the more popular ways currently to get to a CEO or executive is to target executive assistants with an email praising their work performance and diligence, and offering a link to an Amazon gift card or similar faux incentive. Once they click that link, it’s game over. The attacker got entry into their inbox to send a malicious email directly to the CEO or executive and can collect sensitive data to share publicly or blackmail.”

Messdaghi advices employees to implement email rules that prevent them from acting when they are most vulnerable to attacks.

“Even the most sophisticated security pros, and all employees, need to adopt a few rules. Some are widely known such as always to check the context of an email, but less widely understood is guidance to never, never to check emails early in the morning, before a morning wake up routine such as a cup of coffee or tea. Similarly, never check and respond to emails in the evening if they’re not focused or have had a cocktail. At either time, it’s too easy to click through what appears to be an off-hours email from a colleague or manager’s personal email address, but is in fact an attack entry point.”