Researchers have discovered that threat actors are targeting users by leveraging Google's cloud infrastructure to infect them with malware. A chain of phishing campaigns leveraging Google Firebase storage URLs have been observed, tricking users into handling their login credentials.

What’s happening?

  • In these campaigns, threat actors utilize the Google Cloud infrastructure service to conduct phishing by attaching Google firebase storage URLs in phishing emails.
  • According to Trustwave, the phishing emails coax recipients into clicking on a Firebase link inside the email.
  • Once the targets click on the Firebase link, they land on a supposed login page and are required to enter their credentials, which are shared with the cybercriminals.
  • The phishing campaigns are observed targeting victims from several industries in Europe and Australia.
  • Most of the themes for the lures include payment invoices, account verifications, upgrading email accounts, change-password emails, and much more.
  • As per the Trustwave analysis, hackers leverage the COVID-19 pandemic and internet banking lures to trick victims into clicking on the dummy vendor payment form, which leads to the phishing page hosted on Firebase Storage.

Points to note

  • Credential-capturing web pages hosted on Google Cloud service are more likely to make it through security protections such as Secure Email Gateways due to Google’s stature and a large pool of users.
  • The use of cloud infrastructure is gaining popularity among cybercriminals as they are not easily flagged by security controls.

Google has been on the radar

  • Earlier this year, an attack technique came to light which used homographic characters to spoof Google domain names as links to malicious websites.
  • In August 2019, a spearphishing campaign hit an energy service provider, impersonating the company’s CEO to send phishing emails that leveraged Google Drive.

Summarizing it up

Because of the large user base of Google cloud services, such phishing emails can often be overlooked by the security teams. Educating users about these malicious practices helps them in becoming vigilant against phishing emails.

Cyware Publisher