Threat actors abuse Google domains appspot.com and web.app in latest phishing attacks

• These campaigns make use of SSL certificates issued by Appspot.com and Web.app.
• The attackers have designed similar-looking login pages for the domains which are widely used in business.

After Microsoft Azure domains, threat actors are now eyeing on Google cloud domains to launch the latest phishing attacks. The affected domains are those that leverage Appspot.com and Web.app.

About domains

Appspot.com is a cloud computing platform used for developing and hosting web applications in Google-managed data centers. On the other hand, Web.app is a mobile platform used for building mobile apps hosted by Firebase.

How does the campaign work?

• According to the researchers from Zscaler ThreatLabZ, these campaigns make use of SSL certificates issued by Appspot.com and Web.app.
• The attackers have designed similar-looking login pages for the domains which are widely used in business.
• These fake-looking login pages include pages for Dropbox Business, Microsoft Outlook & SharePoint and DocuSign.
• The purpose of these pages is to capture login credentials which are later sent to a remote server controlled by attackers.

Evading detection

To evade detection, the attackers are leveraging most of the code written in an external JavaScript code.

“The attackers are using the latest tactics to evade detection from scan engines, with most of the code written in an external JavaScript file. This filename is 32 characters long and different for every site,” researchers noted.