![]() ![]() The symbol automatically alerts the system to send an email to the person designated in the email address-the email that is sent has phishing links in it, sending the user to a webpage that could lead to malicious code. The hacking approach is both simple and straightforward-a hacker creates a Google Docs document and adds comments to it that include an symbol followed by an email address. They further claim that the vulnerability was not fixed by Google and because of that they began seeing hackers taking advantage of the vulnerability last month. Then, this past October, they discovered that hackers had found another way to send phishing links to unsuspecting users, using the comment feature. Make sure you and your organization use strong security protection, particularly across file sharing and collaboration services.The team at Avanan claims that they found an earlier exploit in Google Docs last June-one that allowed hackers to send phishing links to users.If you’re wary of a particular Google Docs comment email, contact the actual sender to see if they sent you the comment.Keep in mind the usual cyber hygiene habits, such as scrutinizing links and scanning for grammatical errors.Before you click on a Google Docs comment in an email, cross-reference the email address in the comment itself to make sure it’s legitimate.To help people protect themselves from this scam, Avanan offers the following tips: However, users still need to be on the lookout for this attack. The attacker need not even share the document, as simply mentioning the recipient’s email address in the comment will do the trick.Īvanan said that it informed Google about this exploit on January 3 through the Report Phish Through Email button in Gmail. Third, the victim doesn’t even have to access the document as the malicious payload is contained solely in the email. And since the hacker can spoof the name of a trusted colleague or contact, the recipient might more easily fall for the scam. Second, the email includes just the attacker’s display name and not their email address, which means anti-spam filters may fail to catch it. This type of phishing campaign can sneak past traditional security defenses and careful scrutiny for a few key reasons.įirst, the email itself comes from a legitimate Google service, so it’s likely to evade detection and be trusted by users at first glance. So far, more than 500 inboxes have been targeted across 30 different organizations with the hackers using more than 100 different Gmail accounts. The full comment, however, includes a malicious link that will trigger a malware infection if activated through the sent email.ĭiscovered by Avanan in December 2021, the attacks have primarily hit Microsoft Outlook users but have also affected recipients on other email platforms. In this particularly devious campaign, the attackers add a comment to a Google document and then mention the target by typing the symbol followed by an email address. That action then triggers an email to the assigned person. When adding a comment to a document, you can include the email address of a person to whom you want to assign a related task. To help people collaborate on the same documents, Google Docs offers a comment feature. The top 6 enterprise VPN solutions to use in 2023ĮY survey: Tech leaders to invest in AI, 5G, cybersecurity, big data, metaverseĮlectronic data retention policy (TechRepublic Premium) Google offers certificate in cybersecurity, no dorm room required SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic) Must-read security coverage A new report released Thursday by email security provider Avanan looks at a new phishing campaign that abuses a popular feature in Google Docs to deploy malicious emails. And the more popular the product, the greater the chances of success. ![]() One of the favorite tactics of cybercriminals is to exploit legitimate products for illegitimate purposes. Image: GrafVishenka, Getty Images/iStockPhotos Hackers exploit Google Docs in new phishing campaignĪttackers are taking advantage of the comment feature in Google Docs to send people emails with malicious links, says Avanan. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |