- Knowbe4 warns about a new Phishing campaign that takes advantage of Google Appsheets workflow automation
- Electronic emails are falsifying Facebook and reaping login credentials
- Attackers can also get session tokens
Cybercriminals are abusing a legitimate Google service to avoid email protection mechanisms and deliver phishing emails directly to people’s entry trays.
Knowbe4 cybersecurity researchers, who saw the attacks for the first time, warned that Crooks are using Google Appsheet, an application development platform without code for mobile applications and web, and through their workflow automation could send emails using the address “[email protected]”.
Phishing’s emails are imitating Facebook and are designed to deceive people to give their login credentials and 2FA codes, for the social media platform.
2FA codes and session tokens
The emails, which were sent to combustion and a fairly large scale, came from a legitimate source, successfully overlooking Microsoft and Safe of email link (sec) that depend on the reputation and authentication of domain verifications (SPF, DKIM, DMARC).
In addition, since the application sheets can generate unique ID, each email was slightly different, which also helped avoid traditional detection systems.
The emails themselves falsified Facebook. The Crooks tried to deceive the victims to think that they violated someone’s intellectual property, and that their accounts should be eliminated within 24 hours.
Unless, of course, send an appeal through a “Send an appeal” button conveniently located in email.
By clicking on the button, it takes the victim to a destination page that is passed by Facebook, where they can provide their login credentials and 2FA codes, which are then transmitted to the attackers.
The page is housed in Vercel, which, according to Knowbe4, is a “platform of good reputation known for hosting modern web applications.” This further strengthens the credibility of the entire campaign.
The attack has some additional contingencies. The first attempt to log in returns an “incorrect password” result, not because the victim wrote the incorrect credential, but to confirm the shipment.
In addition, the 2fA codes provided are sent immediately to Facebook and, in return, criminals take a session file that gives them persistence even after a password change.
