Tibetans and pro-democracy activists in China are often the victims of cyberattacks, but a public campaign to educate people against blindly opening email attachments has been a big success. Unfortunately, as Motherboard reports, this has had the knock-on effect of forcing hackers into being a lot smarter with their subterfuge. Since would-be victims are now wary of opening attachments, nefarious types are now using Google Drive as a trojan horse with which to breach targeted systems.
The research was carried out by CitizenLab, the University of Toronto's research group that studies the intersection of human rights and digital communications. As it lays out in this blog post, the scam works like this: a hacker sets up an email address that's similar to a legitimate advocacy group, like the International Tibet Network. They even go so far as to include the mundanities of the ITN's postal address in the signature to ensure it looks legitimate.
Then, they'll send the victim a message containing a PowerPoint deck that, on the surface, pretends to be displaying useful information that's been stored on Google Drive. In fact, the Lab believes that the documents are "repurposing material from legitimate presentations" to better dupe users. Since .PPS files aren't displayed properly on Google Drive, users would then be tempted to download the file that otherwise appears genuine.
Hidden inside the file is a vulnerability codenamed CVE-2014-4114 which has been found in all versions of Windows since Vista. Unfortunately, the Lab has found that the weakness has a very low detection rate, so your antivirus system isn't going to catch it should you mistakenly click the link.
CitizenLab can't speak with any authority as to who could possibly want to disrupt and attack Tibetan and pro-Democracy activists in China, but we can probably all guess. The report does, however, point to an AlienVault study that suggests that the creator of the strain of malware used in the attacks works for a Chinese security firm. The piece concludes that this shift in tactics is concerning since the methods are getting more sophisticated in the face of public education campaigns, but hey — at least it shows that the project is working.