Phishing Campaign Leverages Google to Harvest CredentialsResearchers: Emails Contain Google Links to Make Them Appear Credible
Some fraudsters waging phishing campaigns are using fake websites hosted on Google's Firebase Storage service in an attempt to harvest credentials, according to an analysis by the SpiderLabs security team at Trustwave.
The attackers embed Firebase Storage links in phishing emails to make them appear more credible, according to the Trustwave report. The links also help the phishing emails bypass security protections, says Karl Sigler, senior security research manager of SpiderLabs.
"Credential capturing webpages hosted on the [Firebase Storage] service are more likely to make it through security protections, like secure email gateways, due to the reputation of Google and the large base of valid users," Sigler tells Information Security Media Group.
So far, the phishing email campaigns using these tactics are limited to Europe and Australia, and they appear to be of the "pray and spray" variety and not targeted, Singler says.
The phishing campaigns, which started in February and have continued into May, have targeted a wide range of industries. The malicious messages leverage a number of themes, including paying invoices, upgrading email accounts and verifying accounts, according to the report.
The phishing emails that SpiderLabs discovered display links to Google Firebase, a smartphone and web app development platform created by the company. The platform also provides a service called Storage, which allows app providers and developers to store user content, such as pictures and videos, on the Google Cloud.
The phishing emails that contain a Firebase link offer to let victims view content stored in the cloud. If clicked, the victim is taken to a fake login domain for either Microsoft Office 365 or a banking application, according to the report.
One phishing email campaign claims that payments will be processed through internet banking due to COVID-19 and work-from-home orders, according to the report. The message urges the victim to click on the "vendor payment form," which takes them to a fake domain hosted in Firebase Storage, where usernames and passwords are harvested.
Other emails urge victims to click on a malicious link to upgrade their Outlook account, according to the SpiderLabs report. Researchers note that the messages have numerous imperfections, such as poor graphics and fonts.
One of the most recent phishing emails that appears to come from Bank of America states that the victims' account has been placed on temporary hold due to an incomplete review and instructs the recipient to click on a link to review their account, according to the report. Victims are then asked to enter personal details, including their online banking ID, password, full name and address. These are then collected and harvested by the fraudsters.
"Threat actors are finding smart and innovative ways to lure victims to covertly harvest their corporate credentials. Threat actors then use these credentials to get a foothold into an organization to further their malicious agendas," Fahim Abbasi, a Trustwave researcher, notes in the report.
Others Use Google, Too
Other fraudsters have used Google's services as part of phishing attacks as well.
In August 2019, researchers at security firm Cofense found a phishing campaign that used Google Drive to help bypass some email security features as the attackers attempted to target a company in the energy industry (see: Phishing Scheme Uses Google Drive to Avoid Security: Report).