Web-based word processor Google Docs (opens in new tab) is being actively exploited to disguise dangerous web domains, security analysts have warned.
As discovered by security firm Avanan, cybercriminals have found a way to conceal attacks behind standard Google Docs URLs, which can be delivered to victims via email (opens in new tab) without triggering security software.
The loophole can be exploited to redirect victims through to malicious web pages, which could be set up to siphon personal details and account credentials, or rigged with malware (opens in new tab).
- We've built a list of the best password managers (opens in new tab) out there
- Check out our list of the best antivirus (opens in new tab) software around
- Take a look at our list of the best ransomware protection (opens in new tab) services
“Hackers are bypassing static link scanners by hosting their attacks in publicly known services,” explained Avanan (opens in new tab). “We have seen this in the past with small services like MailGun, FlipSnack and Movable Ink, but this is the first time we’re seeing it through a major service like Google Drive (opens in new tab)/Docs.”
Google Docs exploit
Although there are a few hoops for attackers to jump through, Avanan says the attack is simple to execute “because Google does most of the work”.
The first step is to code a webpage that mimics the Google Docs layout and branding, containing a link that redirects to a malicious site. Attackers then upload this HTML (opens in new tab) file to Google Docs, which renders the page.
By abusing the “Publish to the web” function, attackers can create a link that looks identical to any other file-sharing link and is therefore able to bypass email security protections designed to weed out dangerous web addresses.
Disguising the domain behind a Google Docs link also improves the likelihood a user will click through and land, ultimately, on the page equipped with information-stealing capabilities.
To shield against an attack of this kind, Avanan suggests businesses deploy a multi-tiered security architecture capable of identifying unusual activity on the network. The advice for end users, meanwhile, is to always scrutinize the sender’s email address for abnormalities that might betray a scam.
Google did not respond immediately to questions about whether the company is working to block off the attack vector.
Google has since provided the following tips to help users shield against this kind of attack:
- Use 2-step verification to reduce the risk of unauthorized access
- Use security keys that allow only the holder to access the account
- Take the Google Security Checkup (opens in new tab)
- Pay attention to warnings and alerts that appear
- Report suspicious emails (opens in new tab) and other content (opens in new tab) to Google
- Here's our list of the best endpoint protection (opens in new tab) services around