Phishing Scams 3.0 abuses iCloud, PayPal, Google Docs & Co.

Sicherheit (Pexels, allgemeine Nutzung)[German]The fact that the names of well-known services or providers such as DHL, Fedex, banks, PayPal or online storage providers such as iCloud, Google Docks etc. are misused is nothing new. But security researchers from Avana (part of Check Point Technologies) are now warning about a new method called "Phishing Scam 3.0" to trick users. I have prepared the information that was made available to me.


Avanan's security researchers have come across a new scam and warn of new types of phishing attacks that misuse everyday services, such as iCloud, PayPal, Google Docs and Fedex, to send attacks on their behalf.

Phishing Scams 3.0 via Service Accounts

It is a new approach that cybercriminals are using for their phishing campaigns. Dubbed Phishing Scams 3.0, the method requires only a free account for hackers to penetrate people's inboxes. Over the past two months, February and March 2023, security researchers have observed a total of 33,817 email attacks with messages posing as legitimate, popular companies and services. The process is simple:

  1. The hackers create a free account, such as with Paypal.
  2. The hackers locate email addresses to send to.
  3. The hackers create a fake invoice that either pretends that the user is being billed for something or that a new feature is coming.
  4. The hackers send the email.

BEC Firm Impersonation Feb. - March 2023
Figure 1: Frequency of attacks by misused organization name

Jeremy Fuchs, spokesperson at Avanan, says of the evolution of phishing attacks, "Business Email Compromise (BEC) has evolved again. A traditional BEC attack depends on how well an influential person within an organization or a trusted partner can be impersonated. Later, attacks shifted to hijacking a user account belonging to an organization or a partner's organization, using it to infiltrate legitimate email traffic and respond as if it were the real employee. Now we are experiencing something new, as the attackers are using legitimate services to carry out their attack. In such scams, the victim receives an email from real companies and programs (e.g. PayPal, Google Docs or iCloud) that contains a link to a fraudulent website. Over the past two months, our researchers have observed a total of 33,817 such email attacks. We refer to this new type of cyber-attack as Phishing Scams 3.0 or BEC company impersonation. The important note is that these popular services have not become malicious, nor do they have a vulnerability. Instead, hackers use the familiar names of these services to get into inboxes. I strongly recommend that all users implement two-factor authentication and use email filters to protect against these types of attacks."

Examples of such campaigns

Avanan's security experts described some examples of how phishers operate in practice.


Example 1

Here, the hacker has added a comment to a Google Sheet. All the hacker needs to do is create a free Google account. Then he can create a Google document and mention the intended target in it. The recipient will receive an email notification.

Figure 2: Email notification from Google with malicious content, click to zoom

For the end user, this is a typical email, especially if they are using Google Workspace. Even if not using Google Workspace, the message makes it unsurprising, as many organizations use Google Workspace and Microsoft 365.

Example 2

Here is another example of a Phishing Scam 3.0 approach used this time Google Docs.

Figure 3: Email notification from Google with malicious content, click to zoom

The email comes from a legitimate sender, namely Google. The URL, which is a URL, is also legitimate at first glance. This is because this domain is legitimate.

However, those who click on the link will be directed to a fake cryptocurrency site. These fake websites work in different ways. They can be pure phishing sites to steal credentials, but there are also a variety of other ways, be it direct theft of money, or crypto-mining.

More examples

Security researchers have provided more mail examples, which I reproduce below.

PayPal Phishing Mail
Figure 4: Example of PayPal impersonation, click to zoom

SharePoint Phishing-Mail
Figure 5: SharePoint mockup example, click to zoom

SharePoint Phishing-Mail
Figure 6: Phishing link set on SharePoint, click to zoom

In all the recorded examples, the email address from which the email was sent looked completely legitimate, and the email address contained the correct domains, which makes it much more difficult to detect and identify for the average user who receives it. A similar situation applies to filters or systems used to block spam. More details can be read on the CheckPoint blog in the article Beware of Phishing Scams 3.0- The email you receive might not be from who you think it is.

Founded in 2015, Avanan offers patented inline email protection based on machine learning. Check Point Software Technologies Ltd. is a provider of cybersecurity solutions.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *