Spear Phishing in Google Cloud

E-mails and malicious office document macro combined with social engineering are one of the most effective ways to compromise someone in cyber-space. Since this attacks rely heavily on social engineering techniques, many companies manage them with employees education. So many people today now that they can get infected if they “ enable editing” in word document from unknown source or they have some expensive software for file analysis, but what about documents in the cloud? Can someone expect something malicious from a script attached to google sheets document? When I found out about googles “apps script” I decided to see what I am able to do inside that environment using the classic approach of office document macro attack.

Enumeration

First things first attacker wouldn’t loose time on something that can’t make him some money so the best thing is to target companies. This attack will work the best and bring the most value if we use it on the company whose employees are already familiar with google cloud services such as sheets,drive etc. Company that uses google cloud services and “G-suite” can pay for their own domain. This means that they have email in the from of like “bob@company.com” while using gmail and google cloud environment. This can be found out easily by checking MX (Mail Exchanger) records. MX records would show that company uses googles servers.

MX records for company that uses g-suite

Social engineering your way in

In short the idea of this attack is following: send mail that looks like it was delivered to the wrong person with official share of the sheets document in the cloud, use social engineering to make victim run a embedded script and send yourself via e-mail links to their contacts and files in google drive.

Initial e-mail should be very specific to the person otherwise they won’t have enough motivation to do whatever it takes to run the script. If attacker can find data on social media about the company and employees it would give him a great advantage. For the purpose of trying to infect CEO I suggest the situation where two employees share between them some info about CEO, who by accident gets that e-mail which has invitation to edit google sheets document. So it may look something like the following picture.

Getting malicious with apps script

G-suite enables various services but the most valuable for this case I’ve found Contacts, Drive, Sheets and Gmail. So when someone clicks on “Open in Sheets” the following document will open.

First thing that we had to do is social engineering the document to make the victim run the script. It has a classic look of MS Office encrypted document malware. To make it more realistic, using apps script I added a “Decryption” menu that looks just like all others.

Since script will first ask for permissions without actually running I made the victim think that in the first step the program for decryption will be installed. While trying to install it he will already see “start decryption” button to get back to it after “installation”.

Special menu Decryption and code that creates it

When victim clicks on “Install DataEncrypt” the process of verification begins. Victim will go through different dialogs that require e-mail authorization and data access permissions. This is the part where this attack is the most likely to fail so victims willpower to see the data has to be strong.

Attacker could possibly bypass opening this screen through the process of verification. He would need to make some useful app using the same permissions (or at least permission for Drive since it has the most valuable data) and submit it to google for verification. Hard but not impossible.

Since script won’t start after all of this confirmations, the victim will have to start the decryption from the menu which will bring them to the waiting screen.

While running this code:

Results

Attacker gets the e-mail from victim which contains download links to data from their cloud and e-mail addresses from their contacts.

Data that attacker finds valuable is optional, in this specific case I just looked for one picture on my drive for demonstration purposes. Contacts enable you to get phone numbers, names, addresses, company roles…

Here we can see how cloud environment gives attacker an advantage since he can bypass all of detection that company implements, except peoples awareness. Attacker can’t do the same damage as with office macro but they can blackmail companies for their data.

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

3 Reasons That Live Note Takers Make A Great Alternative to Traditional Transcription Services

How to Sell Training Costs Internally

GDPR: worst case scenario for 25th of May

Deploying OneAccess to a major financial institution #Next-GenAuthenticationCaseStudy…

Would you hire me?

Why is money from top investment firms flowing into Snyk, security software?

Cloud Native NFRs for Non-Cloud Native People: Security

Wallets are required for most things

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Filip Žagar

Filip Žagar

More from Medium

My eJPT journey

Day 9 CN- Network Security Devices #100DaysofHacking

NahamCon 2022 CTF — Keeber 1, 2, 3, 5

Part of an example whois query

Pre-Engagement in Penetration Testing