New Google Docs phishing campaign found targeting Windows, Android and MacOS users

• The phishing campaign appears to be the work of Russian-speaking cybercriminals, likely located in Ukraine.
• The phishing campaign used the terms Fortinet and FortiGuard as lures.

Cybercriminals have been spotted crafting clever phishing lures, using the names of well-known cybersecurity companies. One such phishing campaign was found targeting Windows, Android and MacOS users.

Earlier this year, it was discovered that Google Docs that contained an access policy based on a specific link could be indexed by search robots if they discovered these links. This eventually led to numerous organizations’ internal documents becoming public.

Malicious docs

According to security researchers at Fortinet who explored the matter, of the 168 Google search results they analyzed, which puport to contain sensitive details of global organizations, over 150 were created by cybercriminals. 750 additional malicious results contianed the keyword Fortinet.

“Fortinet’s situation is not unique. We learned that if we Googled the name of any major player in the cybersecurity market that we would stumble upon a hundred or more malicious documents,” Fortinet researchers said in a report. “That’s when we realized that we are dealing with a campaign that includes thousands of malicious documents that have been inserted all over Google Docs.”

The researchers discovered that many of these malicious documents were written either in English and Russian. Despite language differences, the documents contained a common structure - a big header, a random screenshot and a hyperlink.

“Another distinctive feature of this malicious campaign is that samples are compiled and signed “on the fly.” We compared the TimeStamp field inside the PE header of the samples and the actual time of the download. The difference between the two was not to exceed 5 minutes. Moreover, every sample is signed by the same valid digital signature at the moment it was downloaded,” Fortinet researchers added.

Attribution

The researchers believe that the cybercriminals behind this campaign are likely Russian-speaking hackers, located in Ukraine. The found links between the campaign and a cookie maker located near Lviv Ukraine.

“We analyzed many of the redirection chains used inside this malicious network, as well as downloaded several samples,” the researchers said. “We concluded that the current goal of this network is to abuse the partner programs of other applications. However, this objective can be easily changed at any moment.”