Cloud Of Suspicion: Scaling Up Phishing Campaigns Using Google Apps Scripts

Presented at DeepSec 2017 „Science First!“, Unknown date/time (Unknown duration).

Google Apps Scripts is a JavaScript cloud scripting language that provides easy ways to automate tasks across Google products and third party services and build web applications. However, it also provides relatively easy ways for attackers to automate infiltration, propagation, exfiltration and maintaining access to a compromised G Suit powered organization. While the platform has been used successfully for C&C (Carabank) previously, we feel it only scratched the surface as potential vectors go. In this talk we'll present original and innovative methods of launching classical attacks using Google Scripts as well as possible ways of detecting and preventing those attacks. Presentation Outline 1. Scripts intro & background. - Types of scripts - Capabilities & limitations  2. Infiltration examples - Standalone/URL - direct script sent to a victim, using the Google domain as the trust vehicle - Bounded scripts - scripts can be embedded to documents, much like Office Macros, having similar capabilities, 3. Exfiltration / Communication Examples - Auto forward emails - bypass Google forward limitation, forward users email to us, remove traces of sent email - Post to external URL - post selected files contents via encoded headers to a remote drop location of our choice - Google scripts as C&C - (Carabank discussion?) ** DEMO ** Use Google apps script as a self executing javascript inside a Google Doc and send it to multiple users as a phishing campaign. 4. Propagation - "Google Docs" worm discussion. Creating "Google Docs" worm with Google Apps Scripts 5. Detecting and preventing malicious scripts - Whitelist / Blacklist, permission based, pre-defined - Scripts Static Analysis, enumeration based on scripts contents

Presenters:

  • Maor Bin - Proofpoint
    Maor works as a research lead at Proofpoint, as part of the SaaS Protection product. We are researching customers' data in order to identify risks and threats in their cloud environment. We're also researching new and innovative attack vectors, so we would be able to block it when it becomes active.  Prior he used to work as a mobile researcher and (reverse eng) for several years.

Links:

Similar Presentations: