Don't click on this link: How to avoid the cloud credential scammers

Scam alert

When we think of cloud security, more often than not it is in terms of protecting our data in transit and at rest. However, sometimes it helps to broaden our view of the cloud security threatscape because when we do then all sorts of risks sitting on the periphery come into view. Risks such as those posed by cloud credential phishers.

Cloud what now? Well, everyone should be well aware of those cyber criminals who seek to con victims into visiting a 'clone bank site' in order to grab the login credentials of the user and then wipe their accounts of cash. Equally, most folk know about email document attachments, which actually execute a malware installation, often with a similar credential-scraping payload.

However, as more and more of us gain this awareness of the techniques used so the less effective they become. This effectiveness is further hampered by improvements in online banking security including the use of two-factor authentication for example. So the bad guys are looking for new routes to the same old credentials and new ways to get that malware installed. Which is where the cloud comes in.

It is no simple roll of the dice that both cloud-based email service logins and Outlook Web Access credentials are quickly becoming the target of choice for the criminal fraternity. And it's no coincidence that cloud-based documents are equally quickly becoming weaponised by these folk. Indeed, we are increasingly accustomed, in both our business and private lives, to receiving links to cloud-based documents and it is this familiarity that the criminals seek to exploit.

Researchers at Proofpoint recently studied techniques used that try to leverage the popularity of Google Apps use in the enterprise.

Where the credential criminals have got clever, and are exploiting the cloud comfort factor, in this case is that they don't use an email link to take the victim directly to a login page where they hope to scrape the data. Instead, clicking the link will direct them to what appears to be a Google Docs shared document page of the type these users are very familiar with. It is a cloned page, and a very convincing one at that.

The only giveaway, and that's for the more clued-up and eagle-eyed of users, would be that the page is being delivered via HTTP rather than the HTTPS that the genuine article employs. If the victim doesn't spot this they will hit the document download button, which takes them to another cloned page, this time the Google login.

The expected document is then displayed, a technique designed to buy time for the attacker to make use of the harvested credentials, as the victim is less likely to realise something is amiss this way.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at