Attackers Find New Way to Exploit Google Docs for Phishing

Researchers spotted what they describe as a new method that attackers appear to be using to lure victims to malicious phishing websites via Google Docs.

The attack chain begins with the threat actor sending potential victims an email—on a topic of likely interest or relevance to the victim—with a link to a document on Google Docs. Users who follow the link are directed to a Google Docs page with what appears to be a downloadable document, according to researchers at Avanan.

The page looks like a typical Google Docs page for sharing documents outside the organization. However, in reality it is a custom Web page that is designed to look like a Google Docs page, according to the researchers. When a user clicks on the link to download the document, they are redirected to a malicious phishing website that looks exactly like the sign-in page for Google Docs. Users who enter their username and password end up having their credentials stolen.

Gil Friedrich, CEO and Co-Founder of Avanan, says this is the first time his company has observed attackers abusing using Google Docs in this manner. “This is the first time—to our knowledge—that we have seen Google Docs used to render an entirely attacker-crafted Web page,” Friedrich says.

The approach is very different than when an attacker might use a small company website to host malicious content. In those instances, an organization can simply block access to the site until the issue is resolved.

“You can’t block Google,” Friedrich says. “There’s no way to establish a static layer, and even if you wanted to block that specific link for that specific file, within ten seconds, the hackers would move to a new file,” because it costs them nothing to do so, he notes.

According to Avanan, the attack is straightforward to execute, with Google itself doing most of the work for the adversaries. To pull it off, all that an attacker has to do is develop a Web page that looks similar to a Google Docs sharing page and upload the file to Google Drive. Google scans the file and automatically renders it as a Web page.

The attacker then opens the rendered image in Google Docs, publishes it to the Web, and gets a link with embed tags that are meant for rendering custom content on Web forums. Attackers can insert the link in an email and send it to victims.

“There’s nothing Google can really do,” Friedrich says. “They created the feature of embedding the website for an easy way for people to share and embed rich content in HTML without being programmers,” he says.

One of the only ways around this would be to disable the feature entirely. Or Google could impose limitations on what can and cannot be published via the embed feature. However, even if Google were to take such a measure, hackers would likely find a way around the restrictions, Friedrich says.

Cloud Services Abuse

The Google Docs hack is only the latest example of attackers attempting to use trusted cloud services such as Google Docs, AWS, and Microsoft Azure to host and send malicious and host malicious content. A recent study that Proofpoint conducted showed that with organizations increasingly adopting cloud collaboration tools and services, attackers have begun abusing these services increasingly as well. In 2020, for instance, attackers targeted thousands of Proofpoint customers with some 60 million malicious messages via Microsoft Office 365 and 90 million messages that were sent or hosted on Google cloud.

Proofpoint’s data shows that such attacks are only increasing in volume. Just in Q1, 2021, for instance, Proofpoint says it observed 7 million and 45 million malicious messages from Microsoft Office 365 and Google cloud infrastructure, respectively.

“Hackers don’t always need access to sophisticated tools sold on the Dark Web—they can use freely available tools to accomplish the same goals,” Friedrich says. Organizations should expect more such attacks since the price to carry them out is low and getting lower, he says.

Launching attacks from trusted site is also safer for attacker. With the Google Docs vector, since everything is hosted on Google’s end, attackers don’t even have to register domains that point to them, he says. “Enterprises need to prepare by investing in advanced email security tools and phishing training for their employees.”

This Week in Database Leaks: Cognyte, CVS, Wegmans

Billions of records were found exposed this week due to unprotected databases owned by major corporations and third-party providers.

Unsecured cloud-based databases continue to threaten corporate and consumer data, as indicated by a series of reports this week involving incidents at Cognyte, CVS, and Wegmans.

First to make headlines this week was Cognyte, a cybersecurity analytics company that left some 5 billion records exposed online and accessible without authentication. The data was part of Cognyte’s cyber-intelligence service, which alerts people to third-party data exposures and claims to have more than 1,000 government and enterprise customers across 100 countries.

“Ironically, the database used to cross-check that personal information with known breaches was itself exposed,” security firm Comparitech wrote in a blog post on the discovery made by Bob Diachenko, who leads its security research team and discovered the data on May 29. If someone’s information was in this database, they may be notified of an account compromise; if one of their passwords had been breached before, they would receive an alert to change it.

“The information included names, passwords, email addresses, and the original source of the leak,” said researchers of the exposed data, noting that not all breaches from which the data was sourced included passwords; however, they couldn’t determine an exact percentage that did. All of the data was stored on an Elasticsearch cluster.

This database was indexed by search engines on May 28; the day after, Diachenko found it and alerted Cognyte, which secured the data on June 2. It’s unknown if any other third parties accessed the information during the window when it was exposed, or for how long it was exposed prior to being indexed, researchers reported in their June 14 blog post.

A few days later, security researcher Jeremiah Fowler and the WebsitePlanet research team disclosed their discovery of a non-password-protected database holding more than 1 billion records connected to CVS Health, a corporation that also owns CVS Pharmacy, CVS Caremark, and Aetna.

Researchers sent a responsible disclosure notice to CVS Health, which revoked public access the same day. It also confirmed this dataset was managed by a contractor or vendor that operated on CVS Health’s behalf; however, details on the vendor were not disclosed.

The 204GB database contained aggregate and event data, including production records that exposed visitor ID, session ID, and device information — for example, whether site visitors used iPhone, iPad, or Android. Exposed files also gave “a clear understanding of configuration settings, where the data is stored, and a blueprint of how the logging service operates from the backend,” Fowler said in a writeup of the findings.

Exposed records also disclosed individuals’ search queries: “In this case these were search logs from everything that visitors searched for and contained references to both CVS Health and,” Fowler wrote.

In his research, he saw multiple records that indicate people searched for medications, COVID vaccines, and other CVS products. They also contained email addresses, which CVS confirmed were not from customer account records but entered in the search bar by the individuals. Reviewing the mobile CVS site, he said it’s possible visitors believed they were logging in to their account but entering their email address into the search bar.

He noted he was able to identify some people by searching Google for their publicly exposed email address. “Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails,” Fowler wrote. That said, the visitor ID and session ID alone did not contain identifiable data; they could only identify a user with that person’s email address.

While tracking activity from websites and e-commerce platforms may provide valuable insight, it may also contain metadata or error logs that expose more-sensitive data. He recommended CVS block searches that match email address patterns or domain names from being executed or logged, which could help prevent unwanted data from being collected or stored.

Closing out the week, grocery chain Wegmans disclosed two of its cloud databases, both of which are used for business purposes and meant to be kept internal, were accidentally left open to outside access “due to a previously undiscovered configuration issue,” officials said in a statement. The issue was confirmed around April 19 and corrected shortly after, they report.

The databases contained customer information including names, addresses, phone numbers, birth dates, Shoppers Club numbers, and email addresses and passwords used to access accounts. Wegmans confirmed all passwords were hashed and salted, so the actual password characters were not in the databases.

A Consistent and Dangerous Problem
The risk of unprotected databases isn’t news to security teams. In fact, more and more of these occurrences have been making headlines in recent years. But why are they so common, even as organizations become aware of them?

“Cloud service providers provide a complex and highly configurable environment,” says PJ Norris, senior systems engineer at Tripwire, and businesses need to have the appropriately skilled staff to securely configure them. Those with multiple cloud providers — a growing trend — must have employees who understand major cloud providers are configured in different ways. Cloud configuration assessments are another key step that aren’t necessarily undertaken, he adds, advising businesses to conduct regular audits and reviews of public-facing environments.

These issues are often cases of simple misconfigurations that go undetected or aren’t addressed fast enough, says Eric Kedrosky, CISO and research director at Sonrai Security. Most companies that move data to the cloud lack the visibility they need to know when it’s at risk.

“There are often a lot of different teams involved in an organization’s cloud, and there are different levels of security knowledge,” he explains. When these issues are found, he says, they are often sent to the wrong places for remediation or not addressed quickly. Following the “shift left” methodology, these problems should be sent to the team that made the error.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

Recommended Reading:

More Insights

Accidental Insider Leaks Prove Major Source of Risk

Research reports highlight growing concerns around insider negligence that leads to data breaches.

While malicious insiders often make headlines, most enterprise data leaks are accidental — caused by end users who fail to follow corporate security policy or try to work around it.

The “2020 Cost of Insider Threats: Global Report” by Ponemon Institute found only 23% of insider incidents last year were caused by criminal or malicious insiders. Approximately 62% were caused by employee or contractor negligence. The remaining 14% came at the hands of credential thieves posing as insiders.

The unintentional insider threat is only expected to worsen. The recent “2021 Data Exposure Report” by Code42 found employees are now 85% more likely to leak sensitive files now than they were before COVID-19. Since the start of the pandemic, 61% of IT security leaders say their remote workforce was the cause of a data breach. 

Yet investment in this area does not keep pace. The Code42 research found more than half (54%) of IT security leaders spend less than 20% of their budget on insider risk, and 66% say their budget for insider risk is insufficient.

The Dark Reading Tech Insight “Detecting and Preventing Insider Data Leaks” examines the growing problem around unintentional insider data exposures and how security leaders are addressing the challenges around containing these risks.

Read the full report here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

11 Security Certifications to Seek Out This Summer

The more you know, the more you grow. The Edge takes a fresh look at leading security certifications that can help advance your security career.

(Image: Brownfalcon via Adobe Stock)

(Image: Brownfalcon via Adobe Stock)

Are security certifications worth the money? Which ones are really needed to enter and advance in the field? If we had a dime for every time we’ve heard those questions …

As to the first question, yes, says Candy Alexander, CISO and security practice lead at NeuEon who also is on the board of the Information Systems Security Association (ISSA).  

“Certifications work,” she says. “I know people who are hiring managers and they will first hire people with certifications.”

Tom Eston, practice director for application security at Bishop Fox, and a hiring manager, agrees. If 100 resumes for an entry-level job come in and 25 of them have CompTIA’s Security+ certification, those 25 go into a group of people he will consider.

“For someone more junior, I like to know how passionate they are about learning,” he says. “I’ll ask them what they do in their off-time? Do they have a lab at home? What kind of drive and passion do they have for the field?”

What follows are short writeups of the leading certifications to give readers a sense of how best to allocate their time and money, especially since many companies tend not to pay for certifications as much today. And if you’re still feeling overwhelmed at the end, Alexander suggests seeking out a mentor who can help you sort out a path.  

Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md. View Full Bio


1 of 13


Recommended Reading:

More Insights

4 Habits of Highly Effective Security Operators

These good habits can make all the difference in advancing careers for cybersecurity operators who spend their days putting out fires large and small.

For many of us, a habit is all too often construed as an undesirable behavior that we are trying to disrupt. Smoking cigarettes, biting your fingernails, drinking too many Diet Cokes — these are the types of behaviors that often leap to mind when someone is asked to consider their own personal habits.

However, just as we are subject to habits we might find unhealthy, we can also promote those that engender greater productivity and efficiency. Through repetition, commitment, and a constant drive to learn and improve, we can intentionally stimulate constructive habits that can transform both our personal and professional lives. For cybersecurity operators who spend their days putting out fires large and small, these habits can make all the difference in advancing your career.

To get a better understanding of how we as cybersecurity professionals can cultivate and embed positive habits into our daily work lives, I recently sat down with two industry veterans who have put these habits into practice: SANS instructor Jorge Orchilles, CTO of SCYTHE and co-creator of the C2 Matrix project, and Evgeniy Kharam, VP, Cybersecurity Solution Architecture at Herjavec Group, and from that conversation, have compiled this top four list of good security habits.

Habit #1: Operationalize Existing Frameworks into Your Daily Routine
According to researchers at Duke University, habits account for about 40% of our behaviors on any given day. Though I would argue that number is considerably higher when it comes to the daily life of a cybersecurity professional. Perhaps the most challenging aspect is the simple fact that no day in the security operations center (SOC) is ever the same. 

With so much uncertainty present in our daily schedule, it becomes all the more imperative that we not only leverage existing frameworks and learn from others in the industry who are facing similar challenges but also operationalize these frameworks into our everyday routine. One resource that Jorge urges security operators to embrace is MITRE ATT&CK, the globally  accessible knowledge base of adversary tactics and techniques based on real-world observations.

As Jorge points out, “MITRE provides a common language that we can all understand allows the cyber threat intelligence team to understand how adversaries work, share that information with incident responders and the security operations center.”

Habit #2: Leverage Internal Security Signals First
Anyone who has spent time in the enterprise trenches can relate to the saying, “Swimming in data, drowning in wisdom.” And modern security teams are no exception. Organizations have dozens of intelligence sources that feed their security operations center and this surfeit of data all too often leads to an inability to take decisive action.

As Jorge observes, “You have all this data already inside that we need to do a better job of leveraging and internal signals are a natural place to start.” Evgeniy also emphasizes the key role that internal data can provide adding that “there’s so much information available internally that security teams can use for threat intelligence — for instance, they can use the data from DNS and from their firewalls to better understand what’s happening inside the network.” 

Habit #3: Cultivate a Proactive Threat Hunting Posture
The top performing cybersecurity teams understand they can’t just wait until they are under attack. Rather, they must dedicate a portion of their time to proactively hunting out new and evolving threats before an alert is sounded. 

In terms of developing solid threat hunting capabilities, Evgeniy and Jorge offer some tips based on their own experience. Says Evgeniy, “You need to allocate a set amount of time each day to do threat hunting. The idea of doing this activity on a continuous basis is what really makes it an effective habit.”

Jorge meanwhile suggests turning to books, such as the free Threat Hunter playbook developed by Roberto Rodriguez as a way to codify this practice into a daily habit. What are the top things most likely to attack you? See if you can create a playbook for that and go hunting. If you’re a SOC analyst, work with your manager and see if you can get at least an hour a day to do this, Jorge suggests.

Habit #4: Make Threat Intelligence Actionable
As we all know, there’s no shortage of threat intelligence to work with in the modern SOC. The real challenge for cybersecurity operators is learning how to prioritize the intelligence that matters most and making it actionable. Enabling this into a habit requires a combination of machine automation and human supervision.

To facilitate this habit, Evgeniy underscores the importance of automation. “Humans are simply not capable of looking at so many different locations. We need tools to help automate and aggregate the information so we can correlate it across different areas and sources.”

Of course, what works for one individual or team might not work for you. The unifying theme is that by investing the time upfront to objectively deconstruct how you spend your time, you can cultivate smarter and more beneficial habits that will help you become both a more effective and valued member of your security team.

Ricardo Villadiego is the founder and CEO of Lumu, a cybersecurity company focused on helping organizations measure compromise in real-time. Prior to LUMU, Ricardo founded Easy Solutions, a leading provider of fraud prevention solutions that was acquired by Cyxtera in 2017 as … View Full Bio

Recommended Reading:

More Insights

Get ready for the 2021 Google CTF

Posted by Kristoffer Janke, Information Security Engineer

Are you ready for no sleep, no chill and a lot of hacking? Our annual Google CTF is back!

The competition kicks off on Saturday July 17 00:00:01 AM UTC and runs through Sunday July 18 23:59:59 UTC. Teams can register at

Just like last year, the top 16 teams will qualify for our Hackceler8 speed run and the chance to take home a total of $30,301.70 in prize money.

As we reminisce on last years event, we’d be remiss if we didn’t recognize our 2020 winning teams:

  • Plaid Parliament of Pwning
  • I Use Bing
  • pasten
  • The Flat Network Society

We are eager to see if they can defend their leet status. For those interested, we have published all 2020 Hackceler8 videos for your viewing pleasure here.

Whether you’re a seasoned CTF player or just curious about cyber security and ethical hacking, we want you to join us. Sign up to learn skills, meet new friends in the security community and even watch the pros in action. For the latest announcements, see, subscribe to our mailing list or follow us on @GoogleVRP. See you there!

P.S. Curious about last year’s Google CTF challenges? We open-sourced them here.

5 essential things to do before ransomware strikes

By failing to prepare you are preparing to fail – here’s what you can do today to minimize the impact of a potential ransomware attack in the future

While more concerted efforts from various anti-ransomware groups continue to bring pressure to bear on ransomware operators, successful attacks are still making the headlines. It’s not just large operators in the cross-hairs – ransomware gangs also go after municipalities and smaller businesses that may not have the wherewithal to defend against the attacks.

If your business is hit, or want to be ready just in case, here are five things you can do now to weather the potential storm:

1. Have backups

Many companies hit by ransomware find that their backups are in poor shape, or missing key data. This was highlighted in the Colonial Pipeline attack, where they paid early in the attack fearing delays restoring data from backup. The irony was that after paying they found the decryption tool was so slow they restored from backups anyway, so it’s still unclear to what extent they really needed the decryptor.

In the heat of the moment though, you need to have high confidence in the solidity of your backups. If you do not have a backup strategy in place, our Backup Basics article can help to serve as a starting point for your home or business, as can our overview of the various types of backup and five mistakes to avoid while backing up your data.

2. Know how to restore your backups

For years I have had backups on various compute platforms, but it’s only after hardware failure and starting to restore files I have faith it will actually work. When it’s crash-cart time in the middle of an incident, it’s too late to find out all the fiddly missing bits slowing your backup restoration down.

I also try to have multiple copies with differing technologies. This way, if one of your technologies has issues in the future, you’re not stuck. Surprisingly, this has been one of the most effective time savers if I delete or overwrite files accidentally, but it also helps in disaster recovery. Hard drives are far cheaper than your critical data, so don’t be afraid to buy more.

3. Make sure your cloud backups work

While it’s convenient to back up to the cloud, it can also be painfully slow to restore, especially large volumes. If you’re missing a contact list – fine. But if you have to restore drive images across your enterprise you may find it terribly slow.

Also, cloud providers themselves have security issues and can get hit, potentially exposing your backups to scammers, so make sure they’re locked down. For super-sensitive data, some organizations never touch the cloud, just to protect the crown jewels against attacks. For this level of security, often the backup media isn’t connected to any network, it’s separated by an air gap and physically securely stored.

4. Be recovery ready

It can be daunting to try an organization-wide disaster recovery drill (though if you have – congratulations!). However, picking a specific random part of the org chart and staging a disaster recovery drill can be more doable. When you do, you are almost guaranteed to find things you should change. These are great finds when you’re not in the middle of an attack, so the pressure is off.

Also, these provide great news to the C-suite when they understand you’re learning through practice so you’re more prepared. Until a backup is restored, you have no idea whether it was successful or not. You can avoid these Schrödinger’s backups by periodically testing them with a restore, ideally to a different computer so you can verify your company’s valuable data is there. Remember that the best time to test a backup is before you need it due to an emergency.

5. Have a game plan

In our next part in this series, my colleague Tony Anscombe will survey the legalities if you pay, but meanwhile, you should have a playbook for what to do. For example, will you hire a negotiator, or do you have the team trained to deal with vetting the attackers’ claims? Decisions like this are hard to make well in the haste of an active attack, so a little preparation will go a long way.

Back to the question of paying. How does that all work? Tony will do a deep dive. But if you don’t have to pay, everyone will be much happier, and that’s something you can work on with your team today.

Data Breaches Surge in Food & Beverage, Other Industries

Six previously “under-attacked” vertical industries saw a surge in data breaches last year due to COVID-19 related disruptions and other factors, new data shows.

Though no industry is immune from cyberattacks, a few have traditionally been less affected by them than others. A new study shows that may no longer be the case.

An analysis that Kroll conducted of data breach notifications in 2020 showed a sharp increase in attacks against organizations in what it identified as six traditionally “under-attacked” industries– food and beverage, utilities, construction, entertainment, agriculture, and recreation.

Attacks against organizations across these industries jumped by an average of 545% compared to 2019. When Kroll broke the data down by industry, it found some sectors experienced significantly higher breach increases than others. For example, data-breach notifications in the food and beverage industry shot up 1,300% in 2020 while that within the construction sector increased 800%.

Kroll also observed a 400% jump in breach notifications within the utility sector including electric utility companies, water companies, and utilities infrastructure. Already, as of April 2021, the number of breaches in this sector has surpassed all of 2020 by 25%. Because Kroll’s report only considered incidents that led to breach notifications, it does not include incidents involving operation technology (OT) and industrial control system (ICS) environments.

At the other end of the spectrum, breach notifications in the entertainment industry showed a 33% increase over the previous year.

The increased number of breaches within the six industries—a pattern that has continued in the first quarater of 2021—came against the backdrop of an overall surge in the volume of data-breach notifications last year due to shifts in work environments caused by the global COVID-19 pandemic.

Kroll’s data showed a 140% increase in data breach notifications from 2019 to 2020 across all verticals. That number represented one of the highest year-over-year jumps in breach notifications that Kroll has observed, says Brian Lapidus, global practice leader for Kroll’s identity theft and breach notification practice.

Cybercriminals continued to hammer away at organizations in usually heavily targeted industries such as financial services, healthcare, and education. In volume, the raw number of breaches within each of these sectors continued to heavily outnumber breach disclosures in the six traditionally under-attacked sectors. For example, the average number of breaches within the most heavily attacked sectors in 2020 was 104, compared to an average of 12 breaches in the historically less-targeted sectors.

Even so, the increase in breaches within the food and beverage, utilities, construction, entertainment, agriculture, and recreations sectors showed that data breaches have become broader and deeper, Kroll said in its breach report this week. It’s a trend that organizations can expect will continue at least through the post-COVID-19 recovery period, Lapidus says.

“Based on the data in our findings, we expect the trend to continue for the rest of the year” he says. “[But] as employees return to offices later in the year and in 2022, with more security systems and monitoring in place, the trend should reverse and with additional security spends, it should go down further.”

Multiple Driving Factors

Kroll’s study showed that the increased breach-notification volumes in sectors that were less prone to such incidents in the past was tied to four trends: the shift to remote work triggered by the pandemic; the growth of the ransomware industry; an increase in supply chain vulnerabilities; and stricter data privacy regulations.

Kroll, like numerous other vendors, found an increase in COVID-19 themed spear-phishing attacks targeting remote employees as well as more malicious activity targeting VPNs, Microsoft 365, and other platforms supporting remote workers. In sectors like food and beverage, many businesses increased direct-to-consumer digital transactions because of the pandemic, resulting in greater exposure to attacks targeting credit and debit card data.

Supply chain issues, such as leaky file transfer repositories, email platforms, and attacks on fundraising platforms were another factor. Lapidus says Kroll is unable to share specific examples of supply chain-related incidents that the company has handled. “We have seen a rise in the impact of all types of supply chain attacks,” he says. “Exploit against security vulnerabilities for these six industries have grown rapidly via cybercrime groups.”

Similarly, ransomware attacks have impacted organizations in the six sectors just like they have impacted entities in almost every other sector. A greater awareness of breach notification obligations under privacy regulations such as the California Consumer Privacy Act was the fourth factor that contributed to a higher number of breaches being disclosed in the six industries last year.

Lapidus says these latest vertical industry breach victims spent less on cybersecurity and had less mature security processes compared to more heavily targeted sectors such as financial services and healthcare. But the disruptions caused by the pandemic is driving change.

“We are seeing increased attention toward cybersecurity in these less traditionally targeted industries, which is a very positive trend,” he says.

The initial focus has been on employee awareness and security culture training, as well as on gaining better visibility across endpoints using EDR and MDR. There is also more attention being paid to tightening remote work infrastructures such as VPN and RDP.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

More Insights

Carnival Cruise Line Reports Security Breach

Cruise ship operator Carnival Corp. said this week it recently detected a breach of its systems and as a result, data belonging to customers and employees may have been exposed.

According to multiple news reports, Carnival detected the intrusion in March and alerted regulators. The company hired a cybersecurity firm to assist with the investigation.

Reports say personal information belonging to guests, employees, and crew for Carnival Cruise Line, Holland America Line, Princess Cruises and medical operations was affected. 

“There is evidence indicating a low likelihood of the data being misused,” the company said in an emailed statement reported by Reuters.

Customers have been contacted and Carnival has a call center set up for inquiries.

The cruise line was also the victim of a ransomware attack last year.

Details on the breach are available in a report here.