Scammers are exploiting a legitimate Google Drive feature to spread malware

The notifications themselves come from Google, lending some credibility to the attack

Cybercriminals are abusing a legitimate Google Drive feature to trick users into clicking malicious links, and ultimately install malware in their systems.

According to Wired, this phishing scam stems from Drive's collaboration feature, which millions of people use to create emails or push notifications inviting them to work together on documents. The feature also notifies users if they are mentioned or tagged in the document.

Researchers have found that scammers are exploiting this particular feature to send notifications to potential victims, asking them to collaborate on a document. These notifications then contain links to malicious websites.

Satnam Narang, Staff Research Engineer, Security Response at Tenable, said, "Users won't be able to access the document, but they will receive in-app notifications on Android or emails sent originating from Google itself, making it appear more legitimate to the end user.

"These notifications and emails will contain a shortened URL that redirects them to a variety of spam and scam sites. Because this is part of a legitimate feature within Google Drive, Google will have to determine how best to address this on the product side. For end users, one thing they could do is filter all emails sent from '[email protected]' to Trash until this issue is resolved."

In a similar attack, spammers were also seen sending emails, rather than a notification, with malicious links.

Hundreds of thousands of Google users have already been targeted by hackers. Many who received messages revealed that they had received notifications in Russian or broken English.

In one case, the scam notification linked to a Google Slides document created by a Gmail account with a Russian name. The edit history of the document revealed that it had been copied from another document and was being regularly edited, suggesting that cyber criminals were replicating the scam and adding more people to lure in new victims. The malicious document was later deleted by Google for violating the company's terms of service.

In another version of the scam, the malicious link took users to a website that was registered on 26th October and asked users to click on links to prize draws and other attractive deals.

One document also attempted to trick users to click on links to receive a payment.

What makes this campaign dangerous is that it is being run under Google's name. The malicious messages come from Google's own no-reply email address, making it almost impossible for naïve users to detect if it is a scam.

In a statement, a Google spokesperson said that the company was working to develop new security measures in Google Drive to detect spam.

David Emm, principal security researcher at cyber security firm Kaspersky, commented: "It's difficult for Google to do anything if the notification is coming from a legitimate account, which is, of course, easy to create".

"Avoid clicking on unsolicited links of any kind when sent from unknown sources. If you weren't expecting to receive it and don't know the sender, don't respond."