HQ/EMEAFind out how we can help your business
Hackers are exploiting the Google Apps Script development platform to host phishing websites.
Reports revealed that these impersonated sites closely resemble legitimate login screens, aiming to steal user credentials. Moreover, these phishing attacks are crafted to appear convincing by mimicking authentic login pages.
This method typically involves a phishing email masquerading as an invoice, which contains a link to a malicious webpage hosted on the exploited cloud-based development tool integrated within Google’s suite of services.
By leveraging Google’s reliable infrastructure, attackers can increase the legitimacy of the phishing page, thus increasing the likelihood that victims will submit sensitive information.
Google Apps Script is a new tool for threat phishing operators.
Google Apps Script is a cloud scripting tool based on JavaScript. It enables users to automate processes and enhance the functionality of Google Workspace applications like Gmail, Drive, Docs, Sheets, and Calendar.
In addition, scripts run on this platform under the “script.google.com” domain, which security software typically permits.
In these incidents, malicious actors craft scripts that display fraudulent login pages. When victims enter their credentials, this information is discreetly sent to an external server controlled by the attacker.
Because Google allows users to publish these scripts as public web apps under its domain, attackers can distribute them through phishing emails that often bypass email security filters.
Phishing emails frequently feature urgent requests, such as payment demands or tax notices, that link to the attacker-operated Google-hosted phishing pages.
Users are redirected to a legitimate site that was falsely represented in the attack after entering their credentials. This redirection diminishes suspicion and allows threat actors to exploit the stolen data.
Misusing Google Apps Script illustrates a broader trend among phishing groups, who increasingly turn to legitimate platforms to bolster evasion and enhance their operations.
One advantage of this strategy is the ability to remotely alter harmful scripts without resending links, enabling attackers to adapt their tactics dynamically.
Therefore, organisations should review their email security settings to scrutinise or block cloud service URLs, particularly those leading to Google Apps Script. Marking such links as potentially harmful could serve as an effective defence.
As of now, Google has not responded to any questions regarding whether any anti-abuse measures will be implemented to address these findings.
