The introduction of cloud storage in the consumer market did a great service for people who were previously finding it difficult to store their data in one place. Similarly, cybercriminals are also using this forum to steal data from private computers by using popular storage products like Google Drive and Dropbox. Hackers might just have dropped the idea of using dedicated servers to save stolen data in favor of cloud storage which provides free storage for the malicious files. These cybercriminals usually conduct their operations through legitimate sites to bypass security vendors and experts.
Trend Micro, a cloud security firm, unearthed a sophisticated plan to install malware in peoples’ computer to extract PDFs, DOCs, XLS, and other similar kind of files from there and save them onto a Google Drive. Previously, the Dropbox was a popular storage option for hackers until some security firm blew their cover on that service.
The changing tactics of cybercriminals has led them to do what other people and businesses are doing. Cybercriminals are using the same business strategy that has pushed many people to move most of their operations to cloud. By doing so, hackers don’t have to use dedicated crime servers anymore and instead use different cloud storage systems.
The malware that is released into the Google Drive storage embeds a refresh token, which is required by Google as part of its OAuth 2.0 protocol. The same protocol is also used by Twitter, Facebook and other similar sites to use their accounts to log in to a different website. The access tokens are required to access a Google Drive account but they come with an expiry date. Therefore, refresh tokens are used to get hold of new access tokens. It is also worth mentioning here that the main Google network is not threatened by the malware since hacking incidents like these happen in a far smaller ratio as is usually believed.
In addition, the malware also uses golang, which is Google’s Go programming language. This is an open source program language that was developed by Google for the following purpose, “…. to eliminate the slowness and clumsiness of software development at Google, and thereby to make the process more productive and scalable.” Golang has been used by cybercriminals as early as 2012 after their activities were revealed by researchers the same year.
It would also be wrong to think that other data storage services are protected from the attacks of cybercriminals because they would keep jumping from one option to another to keep their covert operations running. All free cloud-based services are vulnerable to hacker attacks since all of them use the same mechanism.
Looking For the Right Files
The malware that is doing rounds in your storage-based service typically scans the system for the following file types in order to upload them to Google Drive:
Once the malware enters a target computer, it starts looking for files in places that include the Recycle Bin and the User Documents folder since these places usually hold important personal documents.
Data Thieves of the Future
The analysis of different security experts say that this malware only uploads document-type files to Google Drive since this approach provides the best margin for scouting a target device before launching an all out attack. This tactic is similar to the one applied in real time war where intensive data gathering on the opposition enables soldiers to plan their attack and defense well beforehand.
Attacks of the kind discussed here are part and parcel of living in the information age and are expected to grow in number as time goes on. Common users of cloud-storage services should play their part by updating their system to the latest available versions to make their device more secure and protected from malware attacks that are launched by cybercriminals with only one purpose in mind; to steal your data and misuse it to their advantage.