U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hackers Abuse Google Apps flaw to run phishing campaigns

A critical flaw affecting Google Apps for Work allows hackers to run malicious phishing campaigns by abusing any website’s domain name. A critical vulnerability affecting Google Apps for Work allows attackers to send phishing emails. The vulnerability in Google Apps for Work could be exploited to send emails by abusing any website’s domain name and run phishing campaign on the […]

Hackers Abuse Google Apps flaw to run phishing campaigns

A critical flaw affecting Google Apps for Work allows hackers to run malicious phishing campaigns by abusing any website’s domain name.

A critical vulnerability affecting Google Apps for Work allows attackers to send phishing emails. The vulnerability in Google Apps for Work could be exploited to send emails by abusing any website’s domain name and run phishing campaign on the victim’s behalf.

Google Apps for Work is a suite of collaborative productivity apps that was designed to offer businesses a collection of professional tools, including email, shared calendars, online document editing and storage, video meetings, and much more.

Every user that has a corporate email address, that appears like admin@yourdomain.com instead of myemail@gmail.com, can register an account with Google Apps for Work. To get a custom domain name based email service from Google, the user just needs to sign up like a normal Gmail account. Once created, the user can access his domain’s admin console panel on Google app interface, but he cannot be able to use any service until he will complete domain verification process adopted by Google.

The cyber security researchers Patrik Fehrenbach and Behrouz Sadeghipour discovered  that an attacker can register any unused (not previously registered with Google apps service) domain, example: mynewco.com with Google apps for Work to open the ‘admin@mynewco.com‘ account.

“Last month, we were able to report a vulnerability to Google where we were able to  email from any domain that has not been claimed by its owner previously. For example, using google itself as a victim, we were able to claim domains such as ytimg.com and gstatic.com.” states a blog post from published by the researchers.

The account could be used only after that Google has verified the domain though the “Verify domain ownership” process:

“Before your organization can use Google services like Gmail with your company’s domain, you’ll need to verify that you own it. This ensures that no one else can use services or send email that appears to come from your company.” states Google

The two researchers explained to the The Hacker News that there is a page on Google apps that allows domain administrator to send ‘Sign in Instructions’ to the company users i.e. info@mynewco.com (must be created from panel before proceeding) by simply accessing following URL:

https://admin.google.com/EmailLoginInstructions?userEmail=info@mynewco.com

By using the online email editor, an attacker could send any kind of phishing email containing malicious links to the target users. The technique could be effective to steal sensitive information including web service credentials.

In the example provided by the colleagues at TheHackerNews, before the vulnerability was fixed, the researchers obtained admin@vine.com and sent an email to the victim, reporting the following subject:

Welcome to Twitter, which can convince users into submitting their Twitter credentials to the given phishing pages.

Google Apps for Work hacking

 

After the duo reported the flaw in Google Apps for Work to Google, the company immediately patched it, anyway the experts explained that the fix is just partial. According to the two researchers, in fact, the attacker is still able to access ‘Send Sign in Instructions’ for unverified domains, but this time via apps-noreply@google.com, instead of the custom email address.

“However you can still claim any domain and have access to the admin console through out the “validation process” and that is by design.” continues the post.

This means that victims will receive email from apps-noreply, but evidently the measure is not satisfactory.

“Google believes that showing the sender as apps-noreply is good enough.”  Behrouz told The Hacker News,

Google Apps for Work hacking after patch

It’s clear that by abusing of this Google Apps vulnerability, phishers could send phishing emails avoiding Google detection because the mail is sent by the servers of the company.

Pierluigi Paganini

(Security Affairs –  Google Apps vulnerability, Google Apps for Work)