Hackers Creating Chaos by Abusing Google’s Cloud Infrastructure

What’s happening?

• In these campaigns, threat actors utilize the Google Cloud infrastructure service to conduct phishing by attaching Google firebase storage URLs in phishing emails.
• According to Trustwave, the phishing emails coax recipients into clicking on a Firebase link inside the email.
• Once the targets click on the Firebase link, they land on a supposed login page and are required to enter their credentials, which are shared with the cybercriminals.
• The phishing campaigns are observed targeting victims from several industries in Europe and Australia.
• Most of the themes for the lures include payment invoices, account verifications, upgrading email accounts, change-password emails, and much more.
• As per the Trustwave analysis, hackers leverage the COVID-19 pandemic and internet banking lures to trick victims into clicking on the dummy vendor payment form, which leads to the phishing page hosted on Firebase Storage.

Points to note

• Credential-capturing web pages hosted on Google Cloud service are more likely to make it through security protections such as Secure Email Gateways due to Google’s stature and a large pool of users.
• The use of cloud infrastructure is gaining popularity among cybercriminals as they are not easily flagged by security controls.

Google has been on the radar

• Earlier this year, an attack technique came to light which used homographic characters to spoof Google domain names as links to malicious websites.
• In August 2019, a spearphishing campaign hit an energy service provider, impersonating the company’s CEO to send phishing emails that leveraged Google Drive.

Summarizing it up