Google Workspace comments used by crypto con artists to lure victims


Threat actors are using the comments section of Google Workspace documents to lure victims into fake cryptocurrency schemes, the latest business email compromise (BEC) campaign spotted by cybersecurity watchdog Avanan.

The BEC scam targeted nearly a thousand businesses in two weeks – equivalent to roughly 70 every day – according to the CheckPoint company, which added that at the time of its report the campaign was “still ongoing.”

What makes this particular scam tricky is the fact that it leverages authentic services – no brand spoofing or mimicking required – to catch the victim off-guard, getting them away from secure internet territory and into the cyber quagmire favored by online fraudsters.

“In this attack, hackers utilize the comments feature in Google Workspace to send malicious redirects,” said Avanan. “The link used is a Google Scripts URL – Google Scripts is a coding platform hosted by Google. The link then redirects users to a fake cryptocurrency page.”

Sample of scam Google Workspace comment message sent by fraudsters
Sample of scam Google Workspace comment message sent by fraudsters

Cyber fraudsters, you are free to proceed…

In this case, the hackers simply open a free Google account, add comments using Google Sheets, and insert dangerous links into them before inviting targets to click on these via email.

“To the end-user, this is a fairly typical email, especially if they use Google Workspace,” said Avanan. “And even if they don’t, it’s fairly typical, as many organizations use Google Workspace and Microsoft 365.”

Clicking on the malicious link takes the victim to the fake cryptocurrency website, where the scammers await them.

“These fake cryptocurrency sites work in a few ways,” said Avanan. “They can be straight phishing sites, where credentials will be stolen. There’s a variety of other options, whether it’s straight theft or [illegal, non-consensual] crypto-mining.”

While legitimate brands such as Google are cunningly exploited and sender addresses well mimicked, the BEC campaign has one flaw common to most phishing scams: the grammar is stilted, implying that the message is not genuine. As Avanan notes, “hello users of the system” is not the most convincing way to begin a communication.

Crooks masquerade as ‘straight’

Avanan claims to have seen increasing use of tactics similar to those described in its latest report, as more and more crooks use trusted services to further their illegal ends.

“Simply put, it’s the use of a legitimate service to unleash an attack,” said Avanan. “Instead of a fake invoice, you’ll get a legitimate invoice with malicious instructions, coming directly from PayPal. Instead of a RingCentral link that goes to a conference call, it’s weaponized to redirect to a malicious site.”

It added: “In short, hackers are able to take something that doesn’t just appear to be legitimate – it is legitimate. In the email message, there will be nothing malicious and in fact it will be trusted by security services and users alike.”

To help mitigate such attacks, Avanan urges employers and their workers to cross-reference any email addresses included in the comments feature of any Google documents.

“Remind end-users to utilize standard cyber hygiene, including scrutinizing links and inspecting grammar,” it added. “If unsure, reach out to the legitimate sender and confirm they meant to send that document.”


More from Cybernews:

LockBit adds Audio-Technica to victim list

TikTok suffers an outage

US cyber general warns Russia is not to be underestimated

ChatGPT Chrome extension pilfers Facebook accounts

Canadian engineering giant with military ties hit by ransomware

Subscribe to our newsletter