All third party images are the property of their
Just pointing out how some innocent services
can be abused.
I am not responsible for anything.
Abusing AppScript for e-mail bombing
Data URI + Google Forms + TinyURL = Phishing Variant
Google Spreadsheet + DATA API = A Botnet
xBOT : A prototype Bot
7. Email Bombing: the old ways
Methods of e-bombing
Open Relay servers
PHP/ASP/JSP Mail Functions
Misconfigured Mail Sending features in Web Apps
Now blocked by services like Gmail, Live, Yahoo etc.
E-bombs will end up in SPAM folder.
12. Data URI
Data URI Phishing was described by “Henning Klevjer” in his Paper
Data URI allows you to include data in-line in web pages via URL
13. DATA URI + Google Forms + Tiny URL = Beauty
Combining all these stuff gives a beautiful Phishing Attack.
A Perfect addition to Social Engineering.
17. Channelizing Google SpreadSheet
Google SpreadSheet can store data online.
You can export the contents of the spreadsheet as
json, rss and tsv
Read and Write remotely
What else you want?
18. Selecting the right URL format
20. What is xBOT?
xBOT is a PoC bot.
Uses Google Spreadsheet and Forms to implement
it’s Communication Channel.
Uses Google DATA API to extract the commands.
Use a third party server for file hosting.
21. xBOT Architecture
Command and Control
Every 4 Sec