Google Docs and Microsoft Office Exploited in Cryptocurrency Phishing Scam

 Google Docs and Microsoft Office Exploited in Cryptocurrency Phishing Scam

Check Point researchers have discovered a new phishing scam campaign distributing unauthorized URLs by exploiting Google Docs, with the aim of stealing victims' cryptocurrency credentials.

Cofense observed that the phishing emails originated from compromised email accounts with privileged access to financial services provider CIM Finance to host their phishing emails, the criminals ensuring that their messages could pass popular email security checks including DKIM and SPF. The researchers wrote that using a legitimate site makes it easier for attackers to make their phishing attempts successful as it does not raise suspicion. In the attacks analyzed by the Check Point team, hackers sent links that redirected to fake cryptocurrency sites.

This attack occurs by creating a Google document that is directly sent to the user via email from this address: NO-REPLY@GOOGLE.COM. When the user clicks on the link included in the email, they are redirected to a legitimate Google Docs page, which is supposed to be a OneDrive clone page, and that is where the user is tricked and forced to visit a fake cryptocurrency page. Google was notified of these findings on July 5, 2023.

Phishers create a fake Microsoft Office 365 login page. This page distinguishes itself from the legitimate Microsoft login page by capitalizing almost half of the words and sometimes replacing letters with asterisks. The phishing page also displays users' credentials in plain text when they type these details into the form's input fields.

These attacks highlight the need for organizations to strengthen their email security. One way they can do this is by raising their workforce's awareness of some of the most popular phishing attacks circulating today.