SLIDE 1
MAOR BIN NOVEMBER 2017
Cloud of Suspicion Scaling Up Phishing campaigns Using Google Apps - - PowerPoint PPT Presentation
Cloud of Suspicion Scaling Up Phishing campaigns Using Google Apps - - PowerPoint PPT Presentation
Cloud of Suspicion Scaling Up Phishing campaigns Using Google Apps Scripts MAOR BIN NOVEMBER 2017 Overview Google Apps Scripts Overview Google Apps Scripts A scripting language based on JavaScript that lets you automate actions with
SLIDE 2
SLIDE 3
Overview Google Apps Scripts
A scripting language based on JavaScript that lets you automate actions with
Google Apps Services
Example of services that can be accessed via Google Apps Scripts: Gmail app - Send email, read email, get attachments, etc. Drive app – Create folder, create fle, get fle content, etc. URL Fetch app – Access external API etc. T
ype of scripts:
Standalone Bound to G Suite documents Web apps
SLIDE 4
Spreading Google Apps Scripts
Standalone / Bound to G Suite documents
Google fle sharing
Web apps
Create a link and spread it in multiple channels
SLIDE 5
Data Exfltration
Auto forward emails Post to external URL C & C
SLIDE 6
Data Exfltration
SLIDE 7
Getting Malicious…
Spreading Malware via Google Drive Google Docs Worm Abusing Google Apps Scripts
SLIDE 8
Google Docs Worm
SLIDE 9
Creating Google Docs Worm With Google Apps Scripts
SLIDE 10
Create A Phishing Cloud Macro DEMO
SLIDE 11
DOES IT SCALE?
SLIDE 12
Google Services Quotas
Feature Consumer (gmail.com) Google Apps free edition ( legacy) G Suite Early Access Calendar events created 5,000 / day 10,000 / day 10,000 / day Flexible Contacts created 1,000 / day 2,000 / day 2,000 / day Flexible Documents created 250 / day 500 / day 1,500 / day Flexible Email recipients per day 100* / day 100* / day 1,500* / day 1,500* / day Email read/write (excluding send) 20,000 / day 40,000 / day 50,000 / day Flexible Groups read 2,000 / day 5,000 / day 10,000 / day Flexible JDBC connection 10,000 / day 10,000 / day 50,000 / day Flexible JDBC failed connection 100 / day 100 / day 500 / day 500 / day Properties read/write 50,000 / day 100,000 / day 500,000 / day Flexible Spreadsheets created 250 / day 500 / day 3,200 / day Flexible Triggers total runtime 90 min / day 3 hr / day 6 hr / day 6 hr / day URL Fetch calls 20,000 / day 50,000 / day 100,000 / day Flexible URL Fetch data received 100MB / day 100MB / day 100MB / day 100MB / day
SLIDE 13
Limitations
Feature Consumer (gmail.com) Google Apps free edition ( legacy) G Suite Basic/Business/Edu/Gov Early Access Script runtime 6 min / execution 6 min / execution 6 min / execution 30 min / execution Custom function runtime 30 sec / execution 30 sec / execution 30 sec / execution 30 sec / execution Email attachments 250 / msg 250 / msg 250 / msg 250 / msg Email body size 200kB / msg 200kB / msg 400kB / msg 400kB / msg Email recipients per message 50 / msg 50 / msg 50 / msg 50 / msg Email total attachments size 25MB / msg 25MB / msg 25MB / msg 25MB / msg Properties value size 9kB / val 9kB / val 9kB / val 9kB / val Properties total storage 500kB / property store 500kB / property store 500kB / property store 500kB / property store Triggers 20 / user / script 20 / user / script 20 / user / script 20 / user / script URL Fetch headers 100 / call 100 / call 100 / call 100 / call URL Fetch header size 8kB / call 8kB / call 8kB / call 8kB / call URL Fetch POST size 10MB / call 10MB / call 10MB / call 10MB / call URL Fetch URL length 2kB / call 2kB / call 2kB / call 2kB / call
SLIDE 14
Mitigations
Self executing JavaScript
Endpoint security
3rd party app
Review script’s content
Review script’s scopes
Revoke if necessary
https://myaccount.google.com/permissions?pli=1
Consider CASB solutions
SLIDE 15