Hackers Exploiting Flaws in Google Docs' Comments FeatureCampaign Difficult for Both Email Scanners and Victims to Flag
A new wave of phishing attacks has been identified in which hackers exploit a vulnerability in the comments feature of Google Docs to deliver malicious phishing websites to end-users, reports security firm Avanan.
Starting in December 2021, Avanan, a Check Point company, observed a "massive wave" of hackers leveraging the comment feature in Google Docs and other Google collaboration tools primarily targeting Outlook users.
It hit more than 500 inboxes across 30 tenants, with hackers using more than 100 different Gmail accounts, Avanan researchers say.
"In this attack, hackers are adding a comment to a Google Doc. The comment mentions the target with an @. By doing so, an email is automatically sent to that person’s inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators," says Jeremy Fuchs, cybersecurity researcher/analyst at Avanan.
Google Docs is an online word processor included as part of the free, web-based Google Docs Editors suite offered by Google, which also includes Google Sheets, Google Slides, Google Drawings, Google Forms, Google Sites and Google Keep.
In a June report, researchers at Avanan described an exploit in Google Docs that allowed hackers to easily deliver malicious phishing websites to end-users.
In October, it was reported that attackers could easily send malicious links through comments in Google apps such as Docs and Slides. Fuchs says this known vulnerability has not been fully closed or mitigated by Google since then.
A spokesperson for Google was not immediately available to comment.
Researchers say that the email is difficult for scanners to stop and for end-users to spot, which makes it harder for anti-spam filters to judge. Also, since these emails come directly from Google, they may appear more trustworthy.
Fuchs shared an example in which he described the whole issue. Fuchs says that if a hacker creates a Gmail account, such as firstname.lastname@example.org, they can also create a Google Doc, insert a comment and send it to their intended target.
"For example, let’s say the intended target has a work address of email@example.com. The end user will have no idea whether the comment came from firstname.lastname@example.org or email@example.com. It will just say 'Bad Actor' mentioned you in a comment in the following document," Fuchs says. "If Bad Actor is a colleague, it will appear trusted. Further, the email contains the full comment, along with links and text.”
The victim now can access the payload from the email only and never has to go to the document. Finally, the attacker doesn’t even have to share the document - just mentioning the person in the comment is enough, Fuchs says.
In a sample email, Fuchs explains that the Avanan researchers tested this flaw with an example comment that included a malicious link. When a hacker mentions the name in the comment, it automatically goes to a user's email box and contains the malicious link to download malware or redirect a user to a phishing site.
Avanan says it notified Google of this flaw on Jan. 3, via the "report phish through email" button within Gmail.
Fuchs recommends following guidance and best practice to guard against these attacks:
- Avoid clicking on Google Docs comments. Encourage end users to ensure they are legitimate.
- Practice standard cybersecurity measures, including scrutinizing links and inspecting grammar.
- Cross-check with the legitimate sender and confirm they meant to send that document.
- Deploy additional protection tools that secure the entire suite, including file-sharing and collaboration apps.
Recent Google Updates
In December 2021, Google released Chrome 96.0.4664.110 for Windows, Mac and Linux to address a zero-day bug tracked as CVE-2021-4102 that was reported by an anonymous security researcher. The update is available in the Stable Desktop channel (see: Patch Tuesday: Microsoft Fixes Zero-Day Spreading Malware).
"Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild," a Google security advisory said. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed."
Google recently announced that it has purchased stand-alone security orchestration, automation and response vendor Siemplify to bolster the threat detection and response capabilities built into Google's cloud services.
Terms of the deal, announced Tuesday, have not been disclosed, however Reuters reports that Google paid about $500 million in cash to buy the firm, which is headquartered in Tel Aviv, Israel, and New York (see: Google Buys Siemplify to Bolster Security Analytics Tools).