Among brand-impersonation attacks, form-based attacks have emerged using Google-branded sites to trick victims into sharing login credentials.

That’s according to Barracuda Networks‘ latest threat spotlight. Making up 4% of all spear phishing attacks in the first four months of 2020, Barracuda researchers report steady detections through the first part of the year.

Researchers expect to see that number climb as cybercriminals succeed in harvesting credentials with these brand-impersonation attacks.

In this type of attack, scammers leverage file, content-sharing or other productivity sites like docs.google.com or sway.office.com to convince victims to hand over their credentials. The phishing email usually contains a link to one of these legitimate websites making this attack difficult to detect.

Plus, one particularly tricky variant of the brand-impersonation attacks steals account access without stealing credentials, according to Barracuda.

Olesia Klevchuk is senior product marketing manager at Barracuda Networks. She said businesses can do more to protect themselves from these attacks.

Barracuda’s Olesia Klevchuk

“First of all, user security education — make sure employees within your organization are aware of the latest threats and where to report them,” she said. “Second, make sure you have the latest email security technology — API-based email security is one of example of this. Since many of these attacks try to steal login credentials, having an account takeover solution in place will help prevent hackers from using the compromised account.”

Cybercriminals Zero In On Google Sites

Barracuda detected nearly 100,000 form-based attacks between Jan. 1 and April 30. Of those, Google file sharing and storage websites were used in 65% of attacks. This includes storage.googleapis.com, docs.google.com, storage.cloud.google.com and drive.google.com.

In comparison, attackers went after Microsoft brands 13% of the time.

“MSSPs can help organizations to train their users through both phishing simulation campaigns, and training content around latest threats,” Klevchuk said. “Additionally, they can also help organizations build multilayered email protection. For example, layer on email gateway with API-based inbox defense, security awareness training and automated incident response.”

With this tactic, cybercriminals try to impersonate emails that appear to be automatically generated by a file sharing site such as OneDrive. It takes the victim to a phishing site through a legitimate file sharing site.

The attacker sends an email with a link leading to a file stored on a site like sway.office.com, for example. The file contains a picture with a link to a phishing site asking for credentials to log in.

With this approach, attackers create an online form using legitimate services like forms.office.com. The forms resemble a legitimate service’s login page, and the bad guys then link to the form in phishing emails to harvest credentials.

Tough to Detect

These impersonation attacks are difficult to detect because they contain links pointing to legitimate websites businesses often use. However, services that request account verification or password changes do not normally use these domains.

In a particularly nasty attack variant, malicious hackers can get access to their victims’ accounts without stealing their credentials, Barracuda said. The original phishing email contains a link to what looks like a usual login page. Even the domain name in the browser window appears to match what user may expect to see. The link, however, contains a request for an access token for an app. After the victim enters login credentials, he or she gets a list of app permissions to accept. By accepting these permissions, the victim is not giving up passwords to attackers. Instead, the victim grants the attacker’s app an access token to use the same login credentials to access the account.

“These attacks usually look to steal login credentials, so the most likely outcome is an account takeover,” Klevchuk said. “They can then use these compromised accounts as basis for further attacks targeting either internal users or the organization’s partners and other contacts. Compromised accounts are very valuable to hackers, and attacks launched from these accounts can be very successful and cause a lot of damage because of the high degree of trust we put into corporate accounts and messages we receive from accounts of those we know.”

Attacks like these are likely to go unnoticed by users for a long time. After all, they used their credentials on a legitimate website. Even two-factor authentication does nothing to keep attackers out.

“These attacks are not going anywhere,” Klevchuk said. “Hackers will continue to evolve their tactics and we will continue to see form-based attacks used in phishing schemes.”