Google Docs scams still pose a threat

In May 2017, phishing attack known as “Google Docs worm” spread across the internet. It used special web applications to replace Google Docs and require in-depth access to email and contact lists in Gmail accounts. The scam was very effective because the requests were from people who knew the targets. If granted access, the app would automatically distribute the scam email to the victim’s contacts, thereby perpetuating the worm. The incident eventually affected more than a million accounts before it was successfully held by Google. New research has indicated, however, that the company’s repairs are not going far enough. Other Google Docs can be a viral scam at any time.

Google Workspace phishing and fraud take a large chunk of their power from manipulating legitimate functions and services to abusive targets, says independent security researcher Matthew Bryant. Targets are more likely to fall into attacks because they rely on Google’s offerings. The tactic largely excludes the activity from the jurisdiction of anti-virus tools or other security scanners because it is web-based and manipulates legitimate infrastructure.

In a study presented at the Defcon security conference this month, the attackers found by Bryant may be able to use them to overcome Google’s enhanced Workspace protections. And the risk of Google Workspace hijinks is not only theoretical. Some recent scams use the same general approach to manipulation actual Google Workspace notifications and features to make phishing links or pages more appealing and engaging.

Bryant says all of these problems stem from the conceptual design of Workspace. The flexible, adaptable platform and the same features it is intended to share also offer opportunities for abuse. With more than that Google Workspace 2.6 billion users, is a big bet.

“Design has problems in the first place and that leads to all of these security issues that can’t be fixed – most of which aren’t magical one-time repairs,” says Bryant. “Google has made an effort, but those risks come from specific design decisions. A major improvement would be a painful process of rebuilding these things. “

Since the 2017 event, Google has added more restrictions on applications that can interface with Google Workspace, especially those that require any type of sensitive input, such as emails or contacts. Individuals can use these “Apps Script” apps, but Google primarily supports enterprise users to customize and expand the functionality of Workspace. With enhanced protection in place, if an application has more than 100 users, the developer must send it to Google for a rigorous review process before making a distribution. In the meantime, if you’re trying to run an app that has less than 100 users and hasn’t been reviewed, Workspace will show you a detailed warning screen that recommends moving forward.

Even with these protections in place, Bryant found a loophole. These little apps can run without alerting if someone in Google Workspace receives an attachment to a document. The idea is that you have enough confidence with your co-workers to avoid problems with sharp warnings and warnings. These types of design options, however, leave potential openings for attacks.

For example, Bryant found that by sharing a link to Google Doc with one of these apps attached and changing the word “edit” to “copy” at the end of the URL, the user who opens the link prompts the “Copy Document” prompt. You can also close the tab, but if a user thinks a document is legitimate and clicks on a copy, they will become the creator and owner of that copy. They also appear as “developers” of the application that is still embedded in the document. Therefore, when the application requests permission to run and access Google account data — no attached warning has been added — the victim will see their email address in the invitation.

Not all components of an application will be copied with the document, but Bryant also found that path. An attacker can insert lost items in the “macro” version of Google Workspace task automation, which are very similar to macros. with so much abuse In Microsoft Office. Eventually, an attacker could get someone in the organization to own a malicious application and give them access, requesting access to Google accounts in other organizations without warning.