- KNOWBE4 warns of a new phishing campaign that utilizes Google Appsheets’ Workflow Automation
- E -emails counter Facebook and harvest login -AdIrimation information
- The attackers can also get hold of session
Cyber criminals abuse a legitimate Google Service to bypass E -Mail -Mail mechanisms and deliver phishing -e emails directly to people’s inbox.
CyberSecurity researchers know that he first discovered the attacks has warned that Crooks is using Google Appsheet, a non-code application development platform for mobile and web apps, and through his workflow automation it was able to send emails using “[email protected]” address.
Phishing -e emails mimic Facebook and are designed to trick people into giving away their login -credentials and 2FA codes for the social media platform.
2FA codes and session -tokens
Emails sent i-Bulk and on a fairly large scale came from a legitimate source, successfully bypass Microsoft and Secure E-Mail gateways (SEGS), which depend on domain predures and approval control (SPF, DKIM, DMARC).
Since Appsheets can generate unique IDs, every e -mail was a little different, which also helped bypassing traditional detection systems.
E -MAIL’s counterfeit Facebook. Crooks tried to fool victims into thinking that they were offending a person’s intellectual property and that their accounts should be deleted within 24 hours.
Unless, of course, they submit an appeal through a conveniently placed “Submit an Appeal” button IE email.
Click the button leads the victim to a destination page that mimics Facebook where they can provide their login -credentials and 2FA codes, which are then forwarded to the striker.
The site hosts Vercel, as Knowbe4 says, is a “reputable platform known to host modern web applications”. This further strengthens the entire promotion of the campaign.
The attack has a few extra eventualities. The first attempt to log in to return a “wrong password” result – not because the victim wrote in the wrong identification – but to confirm the submission.
In addition, the 2FA codes that are delivered are immediately submitted to Facebook and in return – Crooks grabs a session token that gives them persistence even after a password change.
